BlackHat SEO Poisons the Web
Search engine optimization (SEO) is a big money-earner for cybercriminals. They are getting better at it, refining their techniques via blending attacks to trick Internet users onto malware-ridden or personal ID-harvesting Websites.
SEO forms the basis of all Internet browsing and is an integral part of Internet marketing. It works on the concept that the higher up a search result appears on the page, the more likely a user is to click on the URL. The order in which results appear on a page is the product of complex algorithms, a technique that Google (Nasdaq: GOOG) has applied to good effect.
Over time, however, fraudsters have grown wise to mastering the way that SEO works, increasingly hijacking the techniques to make them work for their own purposes. A simple example of “BlackHat SEO” or SEO poisoning is where unsuspecting users can be sent to Websites selling fake anti-malware software that offers free health scans that compromise a user’s PC with malicious coding.
There are numerous ways BlackHat SEO can be used to direct large amounts of traffic to a Website and numerous more ways in which criminals can monetize that traffic. Bogus forms, surveys, and contests are means of collecting fees from sites that have pushed their ratings using BlackHat SEO, collecting valuable personal data on users. This user data is sold to other hackers and cyber criminals.
The latest of these BlackHat SEO threats is a blend of fake antivirus software and exploit kits such as Zeus, according to the Websense 2010 Threat Report. The fraudsters have become so good at SEO poisoning that by June 2010, 22.4 percent of the top 100 Google searches returned URLs poisoned with links to malware -- compared to 13.7 percent in the second half of 2009.
Cybercriminals using BlackHat SEO techniques are quick to react to the latest headlines and adjust their programs accordingly. Prime examples this year have been the Haiti disaster and the Soccer World Cup. If you searched on those topics, 1 in 5 of the results were poisoned.
An excellent article and study released this week details a BlackHat SEO campaign tracked over a period of several weeks. Author Steve Ragan shows how victims were led to malicious URLS by the changing tactics of the fraudsters who used keywords and topics around the midterm elections, adjusting them for Halloween, Veterans Day, and so on over time. Although Google does respond quickly by flagging the malicious search results, due to the increased use of automated techniques, cybercriminals need literally only “a few seconds,” Ragan reports, to achieve enough clicks from users for their purpose.
With pay-per-install (PPI) scams, the number of users clicking on URLs associated with high-profile events is so great that in just a few moments a fraudster can make thousands of dollars. Revenue comes in the form of registration fees for fake anti-virus, inline frame (iFrame) hacks resulting in drive-by exploits, spam, malicious programs, or BlackHat affiliate advertisement placement.
Of the better-known botnets and gangs currently focusing on this specialty is the KoobFace gang (FaceBook backwards), hell-bent on exploiting social networking, particularly on FaceBook. As Websense also points out, 40 percent of Facebook status updates have links, and 10 percent of those links are either spam or malicious. So with 4 percent of all links being poisoned and a target of 500 million users on Facebook alone, it doesn’t take much to work out that there are rich pickings to be had.
Unpublished estimates, which I have viewed, showed KoobFace and affiliates producing a yield of $160 million in gross PPI earnings for the last 12 months. Other social networks like Twitter and LinkedIn are increasingly becoming targets as well.
In an effort to combat this activity, more Internet security companies are looking closely at the “where” and “who” of Website hosts, domains, and IP space, rather than at the “what” of malware signatures.
BlackHat SEO is now big business for the bad guys and the security community alike. With the increasing focus on poisoning social networks, it is also a big problem to solve.