A long-term study of the infrastructure used to poison search engine results has found that fraudsters quickly adapt to countermeasures aimed at preventing the manipulation of search results and that fraudulent links dominate the results for certain search subjects, such as pharmaceuticals.
The four-year academic study, conducted by a team of three researchers from Carnegie Mellon University and Southern Methodist University, tracked the top Google results for 218 searches related to pharmaceuticals and another 600 searches related to other fraud-prone subjects, such as antivirus, pirated software and online gambling.
Search-redirection attacks climbed to account for nearly 60 percent of results for such queries in late 2012, the study found. And while the median time to clean the infected systems behind the attacks eventually shortened—to around 15 days—fraudsters compensated by compromising more systems, Nicolas Christin, assistant research professor in electrical and computer engineering at Carnegie Mellon University, told eWEEK.
“There was a bit of a cat-and-mouse game between the search engines and the miscreants, if you will,” he said. “Google creates defensive countermeasures and the people behind the black-hat search results adapt.”
While massive spam campaigns continue to be a problem, a great deal of fraud is linked to black-hat search-engine optimization (SEO), also known as search-engine poisoning. A common technique is to compromise legitimate Websites to create pages that link to other black-hat SEO sites, creating an interconnected Web of search topics that reinforce each other, raising the rank of fraudsters’ pages in search results.
Black market operations selling knock-off, or even fake, drugs, for example, can pay to have such techniques boost their sites’ rankings in search results.
The academic study, which tracked the results to the 618 search terms over 41 months, found that 39 percent of search results actively redirected users to a fraudulent site. Another 19 percent were not classified in the study, but evidence suggests that as much as one-third of those were illicit results. Only 8 percent of results led to legitimate health resources and a mere 0.2 percent led to licensed pharmacies.
While links that were actively redirected using black-hat SEO only accounted for 20 percent of search results in early 2011, that proportion climbed to nearly 60 percent by late 2012, before falling back to about 40 percent at the end of the study.
During the study, Google twice took countermeasures, both times with little impact on the fraud, according to the researchers. Starting in mid–2012, the release of browsers that defaulted to encrypted search requests using secure HTTP likely had more impact, leading to the decline in search redirection.
“The move to encrypted search meant that certain parameters were not available to the attackers,” Christin said. He stressed, however, that fraudsters may have improved their techniques, leading to the results being grouped with the 19 percent that were unclassified.
The study does suggest that the industry and government should focus their efforts to clean up the problems, not by individual actions, but by focusing on specific hosting providers and networks that are home to traffic brokers. Traffic brokers redirect the initial links found in poisoned search results to the destination site, such as an illegal online pharmacy.
“When people try to go after online pharmacies, they go after the sites themselves,” Christin said. “But that seems to be an approach that is not very fruitful, you take one down and it is very easy to create another one.”
By combining the removal of black-hat search results from the search database and a coordinated action against the traffic brokers, defenders could have a more long-lasting impact, the researchers concluded.