By: Julien Sobrier

Blackhat Spam SEO Trends In 2011

Malware

My last post on Blackhat SEO spam trends was posted in December 2010. Things have changed quite a bit in 2011.

Cleaner results in popular searches

The main target of search engine poisoning used to be popular searches found in the Google Hot Trends list. In several instances, popular searches contained up to 90% malicious links in the first ten pages. Currently, the number is between only one and three total malicious results in the first ten pages.

Still, in July 2011, we identified 60 popular searches which contained at least one malicious spam link. They led to 35 different fake AV domains and three other domains serving different types of malware.

Better protection

One of the big changes in 2011 is that various players appear to be taking action much more quickly in stoping hijacked sites from infecting users. Google has cleaner results and hosting companies are in general, much faster at taking down malicious domains. Antivirus vendors also seem to have better protection for fake AV pages (the fact that these pages are changing very slowly must help).

Webmasters seem to clean up their sites much faster as well. I believe that this is at least in part driven by better education as the threat of hijacked sites is now better known. Google has also helped to make webmasters aware of issues in their websites with warnings in Google Webmaster Tools, new warnings to users in search results and even direct e-mails to the owners of hijacked sites.

As a result, the number of spam pages redirecting to a malicious sites that are either down or have been cleaned up has increased significantly.

New targets

While the most popular searches are cleaner, a broader range of Google searches are now being poisoned. We recently demonstrated how Google News was redirecting users to malicious Java applets and Google Image search was poisoned for 6 months as well.

Searches for buying software online remains 90% malicious, redirecting users to fake stores. There has been no significant improvement on that front, with 60 different fake store domains observed in July 2011. This is a problem that pretty much all search engines are facing.

In total, I've found over 1,000 spam search results leading to 150 different domains, most of them were malicious. This is a conservative number as I did not include malicious sites that were down (but were likely infecting users in the past) and malicious domains which prevented me from accessing their content.

Distribution of malicious domains per category


Fake AV is still there

As you can see in the chart above, Fake AV sites are still present. They continue to look similar, both visually and in their source code. I've spotted 35 different Fake AV domains in July 2011. The usual suspects were there: 10 co.cc sites (xyfybir.co.cc, wydrjim.co.cc, ttvzxiw.co.cc, etc.), 6 co.be (vrtwyqz.co.be, urtty.co.be, etc.), etc.

Fake AV page seen on 08/22/2011

Google has definitely made progress cleaning their search results and hosting companies have been doing their part as well. It has been some time since I have seen a mass Google Web search poisoning like the millions of  "Hot Video" pages that we observed last year. The only exception would be for searches related to malicious online software stores.

I hope Google and other search engines vendors will continue to combat this threat.

-- Julien

Learn more about Zscaler.