 |
Lead Story |
|
| |
| SEO Attacks Now a Regular Part of the Web Landscape |
| Search Engine Optimization (SEO) is a commonly accepted marketing tactic employed by many organizations … and attackers. The purpose of SEO is to ensure that your web site is included within the top search results for particular phrases on popular search engines such as Google, Yahoo! and Bing. There are numerous legitimate ways to do this and search engines permit such activity so long as it does not violate their guidelines. Attackers also leverage SEO, but they have one significant advantage - they don’t have to follow the rules. |
| World Cup 2010 Attack |
Let’s begin by looking at an example of an SEO attack. The attacks will always target popular search terms in order to attract the highest possible volume of search engine traffic. What topics are hot at any given time? Look no further than tools such as Google Trends1, which identifies the top search terms over the past 24 hours. A hot topic in June is not surprisingly the FIFA World Cup, which began on June 11. Being the most widely viewed sporting event in the world, it’s a certainty that attackers are going to take advantage of the event to target end users. When searching for “world cup 2010” you may stumble across this result from Google:
|
 |
| Figure 1 - SEO Poisoned WordPress site (maureencain.com) |
| |
| If you were to directly access the URL in question you would encounter a relatively normal looking WordPress powered sports blog. The hosting platform is likely at the heart of this particular attack, as WordPress has battled a host of content injection vulnerabilities over the years2. If however, you were to click on the Google search result itself, you would be taken to a page with the following image, suggesting that a video is to be shown but that you will first need to install a new ActiveX control. |
| |
 |
Figure 2 - Fake ActiveX Error |
| |
| At the same time, the user is prompted to install a file entitled ‘packupdate19102_287.exe’, which is actually a Trojan. As is typical with such attacks, the malicious executable is frequently altered to ensure that it evades detection by antivirus (AV) engines. In this case, the executable was detected by only 13 of 41 AV engines. This attack also implements a technique that we’re seeing more frequently – the redirect only occurs the first time. If you attempt to revisit the same link, you will be redirected to Google.com on all subsequent attempts. This is likely an effort to extend the life of the attack by not making the attack obvious and hinder investigation of the page should the user become suspicious. |
| Poisoning Web Pages |
| Search engines use proprietary algorithms to rank search results. This is accomplished by inspecting both the content of the page and links to the page. Google defines content inspection as Hypertext-Matching Analysis, which goes beyond simply parsing page content to also consider context as well. Attackers will abuse Hypertext-Matching Analysis by conducting ‘keyword stuffing’, a process of injecting various words and phrases throughout the page in different contexts. While this could ultimately harm a page’s ranking if the practice is detected, an attacker, unlike a corporation, has a very short term focus on SEO and longer term consequences are therefore of minimal concern. Additionally, Google considers the importance of links to pages via its PageRank technology. PageRank treats links like votes. If many pages link to specific page, it must be popular. Once again, attackers abuse the algorithm. Being in control of thousands of other sites, thanks to past attacks, they can quickly publish thousands of links and very quickly boost the search result rankings for a targeted page. |
| Malicious Content |
| While SEO ensures increased traffic to a web page, malicious content must then be planted to attack the victim. While we do run across sites hosting exploit code targeting known or 0day web browser vulnerabilities, the vast majority of attacks employ social engineering tactics. The goal is to convince users to download and install a malicious executable. Some use a fake ActiveX control message such as the one we noted in the World Cup example. More often though, we see the following social engineering attacks: |
- Adobe Flash Upgrade
- A web-based video fails to play and an error message encourages the user to upgrade their version of Adobe Flash by downloading and installing a software upgrade.
- Codec Installation
- A web-based video fails to play and an error message encourages the user to install a new codec (required to decode a video stream).
- Fake Antivirus
- Warnings inform the user that malware has been detected and requests that the user install either an antivirus program or an antivirus update.
- Windows Error Message
- A web page simulates a Windows desktop displaying warning messages in a typical Windows format, indicating that a problem with the system needs to be corrected.
|
| |
 |
Figure 3 - Web Page Displaying Fake Windows Error Message |
| |
| Regardless of the attack scenario, the goal is the same - convince the user to download and install malicious software. Traditional anti-virus software is very ineffective in preventing these attacks, due to the fact that the downloaded binaries frequently change. Preventing such attacks requires that not only the binaries be inspected but that the web content used in the social engineering aspects of the attack also be inspected in order to identify and block the web pages, before a user ever has a chance to download the binary files. |
| |
| Attackers have become extremely efficient in delivering SEO attacks. They have developed tools to automate the process of identifying popular search terms, deploying SEO optimized content and hosting malicious content. Whenever breaking news occurs, you can be rest assured that attackers have already taken advantage of the situation to stage an attack. Unfortunately, search engines are failing to identify and remove such content from the indexes. As a result, search engine results, which users rely on every day are being used by attackers to target end users. |
| |
1 http://www.google.com/trends
2 http://secunia.com/advisories/search/?search=wordpress |
| |
| Copyright © 2009-2010 Zscaler |