Cyber-attackers have long employed the tactic of attempting to insert their nefarious URLs and related schemes into popular search engine results to lure potential targets, but security researchers contend that the model has evolved in new ways of late, making the technique even more powerful.
By combining strategies involving subverted Web sites, zero day exploits, and smarter methods for hiding their work, cutting-edge campaigns of this ilk are becoming even more complex and dangerous than their forbearers, according to researchers with McAfee’s Avert Labs.
In a recent blog post, Avert Labs researcher Craig Schmugar highlighted a new search engine “manipulation” approach that differs from previous iterations of the scam – one that gets away from the use of networks of free Web sites, which had been a primary element of many such attack campaigns, in favor of legitimate URLs that have been hacked.
While attackers have typically used groups of fake sites that they would register and then cross link, and then attempt to get indexed highly for any related search terms – specifically hot topics like breaking news stories – now scammers are using hacked pages and combining various elements of other different attacks to achieve even more effective “blackhat SEO,” Schmugar reported.
Because of the legitimate nature of the hacked sites they employ, it’s much easier to be “found” by search engines of course.
The big difference, somewhat predictably, is the use of legitimate sites that have somehow been compromised, and zero day vulnerabilities are leaving many of the involved sites readily available for use in the campaigns, the McAfee expert contends.
This is a trend that has played out with nearly all forms of online malware distribution, as hackers refine their ability to subvert existing Web pages, versus creating their own. But attackers are using the technique to drive much smarter SEO, the expert noted, as now they merely hack sites that already shows up for the search terms they’re targeting.
“There are currently many examples of high-ranking poisoned results that lead to compromised legitimate sites. This is a bit different than in the past, as now security vulnerabilities are being exploited simply for the sake of search-engine manipulation,” Schmugar said.
Historically attackers have also uploaded malicious content to compromised sites, either directly by injected exploit code, or indirectly by injecting an iframe or script that brings in exploit code from a remote site. After eventually being discovered by legitimate site users, the attacks are usually shut down as administrators are informed of what’s been happening on their pages and move to cleanse them.
In another emerging twist on the model, Schmugar notes that attackers have been responding to this challenge by instead directing victims to completely different sites to infect them. They’ve also made it such that only those users coming directly from search engines are sent to their infection farms to try to hide their efforts even further, because this tactic makes it even easier to keep scams hidden from legitimate site owners and established users, and to lure more victims, the expert maintains.
“The attackers go a step further by implementing a well used trick, which is to redirect conditionally,” he said. “It’s not enough for people to go to a compromised page; they must arrive there from a search-result page.”
Typically, many of the compromised sites are running older, vulnerable phpBB and WordPress applications, while another popular model incorporates sites that are serving attacker’s HTML pages, most likely from compromised administrative credentials or misconfigured Web servers, Schmugar contends.
“These events further blur the line between “trusted” sites and malicious content. This trend is likely to continue for years to come,” he said.
Blindly searching for information from unfamiliar Web sites would seem more of a dangerous proposition than ever, but clearly even known commodities are getting poisoned, and that’s making it even more dangerous for people to go about their business online.
It’s just another beautiful day on the Interwebs.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to [email protected].