I revisited the topic of search-engine manipulation (a.k.a. blackhat SEO) in two recent posts.Â Something caught my eye while investigating cases of search-result poisoning–a shift away from tactics used by the attackers earlier in the year.
Previously, attackers mostly registered free websites to pull off their attacks.Â They would create a bunch of new sites, cross-link them, and use other tricks to get their pages indexed and ranked high on relevant search result pages (again, largely targeting the most popular search terms of the day, such as those found on Google Trends.)Â I blogged earlier in the year about how the user forum on democrats.org was leveraged to link a high-ranking site with newly created malicious sites.
It seems now that attackers are combing various elements of different attacks to achieve blackhat SEO.
There are currently many examples of high-ranking poisoned results that lead to compromised legitimate sites.Â This is a bit different than in the past, as now security vulnerabilities are being exploited simply for the sake of search-engine manipulation.Â
Historically we’ve seen attackers upload malicious content to compromised sites, either directly by injected exploit code, or indirectly by injecting an iframe or script that brings in exploit code from a remote site.Â Â Such situations can lead to site users notifying the compromised site administrator that they were attacked while visiting that site.Â Redirecting victims to a completely different site can help conceal the poisoned site.
The attackers go a step further by implementing a well used trick, which is to redirect conditionally.Â It’s not enough for people to go to a compromised page; they must arrive there from a search-result page.Â In other words,Â usersÂ (or site admins) navigating toÂ http://compromised-site.com/attacker_created_page will not beÂ redirected to a payload site unless they are coming from a Google search-result page.Â
Some of the compromised sites are runningÂ older, vulnerable phpBB and Word Press applications.Â Others sites are serving attacker HTML pages, perhaps from compromised admin/user credentials or misconfigured web servers.
These events further blur the line between “trusted” sites and malicious content.Â This trend is likely to continue for years to come.