A behind-the-scenes look at how search engine optimization techniques are getting malware in front of your computer, and what your organization can do to help search engines such as Google and Bing police the Web.
Designing malware and exploits is only one end of the business for black
hats. Getting that malicious content to users is another.
A key way for attackers to do that is through search engine optimization
(SEO), which boosts the search engine rankings of compromised or malicious Web
pages.
"
Black
hat SEO works by exploiting search indexing algorithms, and I think search
engine providers work hard to try and tweak their processes to cut down on
misleading search results, but it's a cat and mouse game," said Marc
Fossi, manager of research and development for Symantec Security Response. "When
search engine providers fine-tune their algorithms or make other changes to try
and reduce black hat SEO effectiveness, the bad guys counter these adjustments
by making minor adjustments of their own."
There are three main ways black hats go about search optimization: keyword
stuffing, cloaking and link farming. Cloaking, Fossi explained, is where
content is created specifically for search engine crawlers and is hidden from
normal view.
Link farming is another common technique for SEO. Chris Larsen, senior
malware researcher at Blue Coat Systems, took a look inside
such
an operation here. In a conversation with eWEEK, he described link farms as
a network of interconnected pages with false content designed to look reputable
to Google and other search engines to boost search rankings.
"One place the bad guys like to put link farms is on legitimate sites,
and not all link farms are networks of thousands and thousands of bogus pages,"
he explained. "Our focus is on identifying and blocking the malware
chains, which only begin at the link farms-[which are] so numerous and fluid
that it's not so productive to go after them. There are dozens to hundreds of
link farms in any single network, but only a handful of active malicious
relay/destination servers-so they are higher value targets."
It has become very common for link farm pages to present a clean view to the
search engine indexer with no malicious script, he added, which indicates
search engines have gotten better at spotting such scripts.
To get links in front of users, attackers sometimes exploit Web pages such
as blogs and news sites that accept user input.
"The person trying to get their misleading search result high in the
rankings will simply paste their URL into these comment fields and anywhere
else that allows for user input, and by so doing, search engines see that Web
page as more important because so many other sites link to it," Fossi
said.
When requests for a page are coming from a search engine such as Bing or
Google, the user will be redirected to a malicious site. When users visit the
pages without the help of a search engine, they will often not be served the
malicious content.
"
Rogue
AV has been the most common attack that we've seen tied to Black hat SEO,"
noted Michael Sutton, vice president of security research at Zscaler. Other
attacks, he said, include fake updates for software such as Adobe Flash Player
that are actually malware.
"The creativity used by the attackers is impressive-sadly, the average
end user is often fooled," Sutton said.
According to a spokesperson for Google, the company works to detect and flag
sites that serve malware with warning labels in its search results.
"We are always working to identify and eliminate malware from our index
with manual and automated processes," the spokesperson said.
For organizations, protecting against SEO requires a mix of URL filtering and
content inspection, as well as malware detection technologies. In addition, Website
administrators should make sure their sites aren't vulnerable to compromise by
attackers looking for legitimate sites to host their scheme.
In
a paper released (PDF) in March titled "Poisoned search results:
How hackers have automated search engine poisoning attacks to distribute
malware," researchers at Sophos found vulnerable versions of popular CMS
applications are also a common link between many compromised sites.
"It is imperative that site administrators upgrade and patch such
applications regularly," the researchers wrote. "The homogeneous
nature of the content produced by these CMS
systems makes it trivial for attackers to identify potential sites to
compromise. ... Content scanning on the web server can also add significant
protection against SEO attacks, providing detection for the scripts used in SEO
kits and PHP backdoors. Such detections can give administrators an early heads
up of a potential server compromise."
As time goes on, attackers will likely move more and more of their content
to hacked sites, Larsen predicted.
"The search engines will be fighting this battle for the foreseeable
future," he said.
Email
Print
