Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

SEO Spam Research

image
JULIEN SOBRIER
May 17, 2010 - 2 min read
Security Insights

Contents

  1. Article
  2. More blogs

Hacked sites may have their pages modified with invisible IFRAMES or malicious JavaScript, or new dynamic pages are created to redirect users to a fake anti-virus page or a scam. In some cases, new folders are created, and filled with hundreds or thousands of Search Engine Optimization (SEO) page spams. These pages are intended to score well with popular searches. They contains links to other domains, either malware sites or scams. This post from Sucuri Security reports that recently hacked websites contains a .files/ folder filled with such SEO spam.

With the help of Google, it easy to find a list of these hidden folders. Look for ""index of .files/" and one example of a file listed in the blog post, for example "2009 pro bowl.html": "index of .files/" 2009 pro bowl.html. Now you have access to hundred of pages set up by attackers. This is a very valuable source of information to understand how attackers are using SEO, and which domains names are involved in the attack.

All the pages have the same structure, but are actually quite different from the SEO spam pages I saw before:

  • each page targets a particular search (for example, 2010 Winter Olympics), as usual
  • the page alternates one paragraph of text, and one link (unusual, there are usually very few links)
  • each link text has nothing to do with the content of the page (unusual)
  • each link points to a different domain: fng-international.com, achaemprego.projects.heavyworks.ne, aceuplink.net, etc.

 

 

 
Image
SEO spam page


The links redirects to different types of sites: fake antivirus pages, fake search engines to scam advertising networks, etc. Some of the links do not redirect all users to malicious sites, but only those who come from a Google/Yahoo/Bing search.

The list of file names also shows which topics are targeted by the attacker: pretty much anything! Winter Olympics, the latest Google phones, celebrities, Apple news, how to write a sonnet (!), home sales, etc.

From these files, we gathered 27,453 unique URLs from 96 different domains. This will keep me busy for a while :-)

-- Julien

form submtited
Thank you for reading

Was this post useful?

vote yes
Yes, very!
vote no
Not really

Disclaimer: This blog post has been created by Zscaler for informational purposes only and is provided "as is" without any guarantees of accuracy, completeness or reliability. Zscaler assumes no responsibility for any errors or omissions or for any actions taken based on the information provided. Any third-party websites or resources linked in this blog post are provided for convenience only, and Zscaler is not responsible for their content or practices. All content is subject to change without notice. By accessing this blog, you agree to these terms and acknowledge your sole responsibility to verify and use the information as appropriate for your needs.

Explore more Zscaler blogs

A cyber criminal shopping for malware

Agniane Stealer: Dark Web’s Crypto Threat

Read post
Business people walking through a city

The Impact of the SEC’s New Cybersecurity Policies

Read post
Digital cloud illuminated in blue

Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)

Read post
TOITOIN Trojan

The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region

Read post

01 / 02

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.