Search engine optimization (SEO) has traditionally been the domain of web masters and Internet marketing specialists who understand the importance of high search engine ranking and how to influence sites’ ranking based on various search criteria. It didn’t take long after the popularity of sites such as Yahoo and Google grew, for people to look for ways to manipulate site rankings in order to drive more traffic to their preferred destinations. Lately, hackers have begun using SEO poisoning techniques in an effort to spread malware and make money.
In order to understand how they do this, it is necessary to understand how search engines rank sites. This is primarily done on the basis of site popularity. If a web site is linked to by many other sites, it is assumed that this is a reputable site and it will generate a higher ranking by search engines. Similarly, if a popular site links to other web sites, those sites will be given a more favorable ranking in search results. The goal of hackers is to poison search results such that their malicious (typically) web sites will rank high in search results and drive more traffic to them, resulting in increased opportunities for compromising systems.
So how do hackers take advantage of search engines for their own purposes? Below are a several techniques used for SEO poisoning:
1) Site compromise
Approximately 1 year ago, tens of thousandes of web sites, including some very prominent ones, were compromised through the use of XSS to inject iframes into search queries on the sites. The iframes then were indexed by Google and others such that they ranked very high in certain poisoned search results. This type of SEO poisoning was possible due to improper input validation on the web sites’ search tool resulting in a stored XSS vulnerability. Some of the sites affected included Wal-mart, Target and USA Today.
Another way hackers can take advantage of vulnerabilities in a web site to poison search results is through SQL injection attacks. If a hacker can find vulnerable web sites (easily achieved through advanced Google searching) and inject links into the targeted sites that point to a malicious web site, then the ranking of the malicious web sites will be increased in search engine results. A recent SEO poisoning attack involving NCAA March Madness search terms was discovered that employed such a technique. Those who clicked on the malicious links are redirected to malicious web sites that attempt to install rogue AV malware.
2) Spam domains
Another way for hackers to increase their ranking in particular search results is by registering many domains specifically for the purpose of linking to their desired site. By creating a large number of sites linking to the target web site, they can increase its rank in search results and thus traffic to that site. Hackers will often register hundreds of these spam domains purely for the purpose of SEO poisoning.
3) Comment spamming blogs
As any blogger can attest, many of the comments placed on blogs are nothing more than spam with links to spam or malicious web sites in an effort to increase their search result rankings. Even on my blog, which gets little traffic (unfortunately), gets a tremendous amount of spam comments. In fact, I have stopped allowing comments because I have grown weary of deleting them. I know their are tools to detect and block spam comments, but when 95% of the comments are spam designed for SEO poisoning, it doesn’t seem worth it. Usually these comments are generated by automated spambots, so at the very least bloggers should be sure to hold all comments for moderation.
