Sophos lifts lid on hackers' 'sick' search engine attacks

March 31, 2010 Sophos Press Release

The business of using blackhat Search Engine Optimisation (SEO) techniques to impregnate legitimate sites has become a huge money-spinner for cybercriminals. Every day scores of new malicious campaigns are discovered taking advantage of the hottest news stories on the internet to spread malware; many of them profiting from high profile deaths and disasters.

With this significant problem in mind, leading IT security and data protection firm Sophos, has published a probing white paper analysing how attackers have created automated kits that use blackhat SEO methods - cynically exploiting tragic and salacious breaking news stories - to subvert legitimate websites for personal gain.

In the past the deaths of celebrities such as Michael Jackson, Boyzone's Stephen Gately and Natasha Richardson, and the marital problems of Sandra Bullock have all provided rich attractive content for hackers trying to take advantage of trending news stories.

Sandra Bullock Marriage Trouble

Just this week, after two suicide bombs exploded on the Moscow Metro, resulting in 39 confirmed deaths, Sophos warned that this is exactly the kind of incident that will mobilise blackhat SEO and malware gangs.

"When terrible tragedies such as this take place we all rush to the web to find out more and the cynical SEO hackers know this," commented Sophos' principal virus researcher Fraser Howard. "After the death of Sea World animal trainer by a killer whale, sick hackers automatically used blackhat SEO techniques to stuff booby-trapped web pages with related content. This kind of profiteering is not just distasteful; it's also potentially dangerous to millions of innocent internet users."

The technical paper, by Sophos researchers Fraser Howard and Onur Komili, details how it has become routine for attackers to compromise web content in order to distribute malware with sites often being abused in a variety of different ways once compromised.

Commonly Used Blackhat Tactics

Fake Anti-Virus: inundates users with fake security alerts in order to trick them into paying for a bogus security product, or installing further malicious code.

SEO page: pages stuffed with erroneous keywords, designed to feature highly in search engine results but which misdirect users to rogue sites. Sometimes called SEO poisoned pages.

Blackhat SEO kits: the application used to create and manage an SEO attack. Responsible for generating SEO pages for search engine crawlers which poison search results in order to redirect users to rogue sites. Often these kits will be automatically updated with information about the latest hot news stories by consulting resources such as Google Trends.

SEO poisoning: the process of tricking search engines into ranking an SEO page high up in the search results. Those results are regarded as "poisoned".

Search engine crawler: a web bot or spider, which refers to a computer program that browses the web in a structured fashion, in order to index pages and collect data that can be readily searched.

At the centre of any blackhat SEO attack is the need to feed content to search engine crawlers (for them to add to their search results), while at the same time redirecting users who land on the webpage to a malicious site. Most blackhat SEO kits can tell the difference between a search engine visiting their site to crawl for content, a user visiting the site via a search engine link, and a curious party visiting the site directly.

Prevention and Protection

Whilst the growth in the use of blackhat SEO tactics is a growing problem, Sophos believes that IT and network managers can take a number of rudimentary steps to protect themselves.

As with many other web-based attacks, URL filtering and content inspections often provide the most effective protection against SEO attacks. Monitoring any currently active SEO attacks enables collection of the redirection URLs involved, which can then be appropriately blacklisted.

Howard concludes: "Malware distribution through SEO may sound hard to block because of the apparent authenticity of the SEO web pages but there are some effective measures that companies can take to protect themselves. By adding detection for the payload, as well as diligent monitoring and filtering in-bound content, network managers can thwart an attack before it reaches the user. Providing detection for all relevant components provides the most effective protection."