How Black Hat SEO Abuses Search Engines

A behind-the-scenes look at how search engine optimization techniques are getting malware in front of your computer, and what your organization can do to help search engines such as Google and Bing police the Web.

Designing malware and exploits is only one end of the business for black hats. Getting that malicious content to users is another.

A key way for attackers to do that is through search engine optimization (SEO), which boosts the search engine rankings of compromised or malicious Web pages.

"Black hat SEO works by exploiting search indexing algorithms, and I think search engine providers work hard to try and tweak their processes to cut down on misleading search results, but it's a cat and mouse game," said Marc Fossi, manager of research and development for Symantec Security Response. "When search engine providers fine-tune their algorithms or make other changes to try and reduce black hat SEO effectiveness, the bad guys counter these adjustments by making minor adjustments of their own."

There are three main ways black hats go about search optimization: keyword stuffing, cloaking and link farming. Cloaking, Fossi explained, is where content is created specifically for search engine crawlers and is hidden from normal view.

Link farming is another common technique for SEO. Chris Larsen, senior malware researcher at Blue Coat Systems, took a look inside such an operation here. In a conversation with eWEEK, he described link farms as a network of interconnected pages with false content designed to look reputable to Google and other search engines to boost search rankings.

"One place the bad guys like to put link farms is on legitimate sites, and not all link farms are networks of thousands and thousands of bogus pages," he explained. "Our focus is on identifying and blocking the malware chains, which only begin at the link farms-[which are] so numerous and fluid that it's not so productive to go after them. There are dozens to hundreds of link farms in any single network, but only a handful of active malicious relay/destination servers-so they are higher value targets."

It has become very common for link farm pages to present a clean view to the search engine indexer with no malicious script, he added, which indicates search engines have gotten better at spotting such scripts.

To get links in front of users, attackers sometimes exploit Web pages such as blogs and news sites that accept user input.

"The person trying to get their misleading search result high in the rankings will simply paste their URL into these comment fields and anywhere else that allows for user input, and by so doing, search engines see that Web page as more important because so many other sites link to it," Fossi said.

When requests for a page are coming from a search engine such as Bing or Google, the user will be redirected to a malicious site. When users visit the pages without the help of a search engine, they will often not be served the malicious content.

"Rogue AV has been the most common attack that we've seen tied to Black hat SEO," noted Michael Sutton, vice president of security research at Zscaler. Other attacks, he said, include fake updates for software such as Adobe Flash Player that are actually malware.

"The creativity used by the attackers is impressive-sadly, the average end user is often fooled," Sutton said.

According to a spokesperson for Google, the company works to detect and flag sites that serve malware with warning labels in its search results.

"We are always working to identify and eliminate malware from our index with manual and automated processes," the spokesperson said.

For organizations, protecting against SEO requires a mix of URL filtering and content inspection, as well as malware detection technologies. In addition, Website administrators should make sure their sites aren't vulnerable to compromise by attackers looking for legitimate sites to host their scheme.

In a paper released (PDF) in March titled "Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware," researchers at Sophos found vulnerable versions of popular CMS applications are also a common link between many compromised sites.

"It is imperative that site administrators upgrade and patch such applications regularly," the researchers wrote. "The homogeneous nature of the content produced by these CMS systems makes it trivial for attackers to identify potential sites to compromise. ... Content scanning on the web server can also add significant protection against SEO attacks, providing detection for the scripts used in SEO kits and PHP backdoors. Such detections can give administrators an early heads up of a potential server compromise."

As time goes on, attackers will likely move more and more of their content to hacked sites, Larsen predicted.

"The search engines will be fighting this battle for the foreseeable future," he said.