How Black Hat SEO Abuses Search Engines

Designing malware and exploits is only one end of the business for black hats. Getting that malicious content to users is another.

A key way for attackers to do that is through search engine optimisation (SEO), which boosts the search engine rankings of compromised or malicious web pages.

“Black hat SEO works by exploiting search indexing algorithms, and I think search engine providers work hard to try and tweak their processes to cut down on misleading search results, but it’s a cat and mouse game,” said Marc Fossi, Manager of Research and Development for Symantec Security Response. “When search engine providers fine tune their algorithms or make other changes to try and reduce black hat SEO effectiveness, the bad guys counter these adjustments by making minor adjustments of their own.”

Search engine exploitation

There are three main ways black hats go about search optimisation – keyword stuffing, cloaking and link farming. Cloaking, Fossi explained, is where content is created specifically for search engine crawlers and is hidden from normal view.

Link farming is another common technique for SEO. Chris Larsen, senior malware researcher at Blue Coat Systems, took a look inside such an operation here. In a conversation with eWEEK, he described link farms as a network of interconnected pages with false content designed to look reputable to Google and other search engines in order to boost search rankings.

“One place the bad guys like to put link farms is on legitimate sites, and not all link farms are networks of thousands and thousands of bogus pages,” he explained. “Our focus is on identifying and blocking the malware chains, which only begin at the link farms – [which are] so numerous and fluid that it’s not so productive to go after them. There are dozens to hundreds of link farms in any single network, but only a handful of active malicious relay/destination servers – so they are higher value targets.”

It has become very common for link farm pages to present a clean view to the search engine indexer with no malicious script, he added, which indicates search engines have gotten better at spotting such scripts.

To get links in front of users, attackers sometimes exploit web pages such as blogs and news sites that accept user input.

“The person trying to get their misleading search result high in the rankings will simply paste their URL into these comment fields and anywhere else that allows for user input and by so doing, search engines see that web page as more important because so many other sites link to it,” Fossi said.

End users fooled

When incoming requests for a page are coming from a search engine such as Bing or Google, the user will be redirected to a malicious site. When users visit the pages without the help of a search engine, they will often not be served the malicious content.

Rogue AV has been the most common attack that we’ve seen tied to Black hat SEO,” noted Michael Sutton, vice president of security research at Zscaler. Other attacks, he said, include fake updates for software such as Adobe Flash Player that are actually malware.

“The creativity used by the attackers is impressive – sadly, the average end user is often fooled,” Sutton said.

According to a spokesperson for Google, the company works to detect and flag sites that serve malware with warning labels in its search results.

“We are always working to identify and eliminate malware from our index with manual and automated processes,” the spokesperson said.

For organisations, protecting against SEO requires a mix of URL filtering and content inspection, as well as malware detection technologies. In addition, website administrators should make sure their sites aren’t vulnerable to compromise by attackers looking for legitimate sites to host their scheme.

CMS systems targeted

In a paper (PDF) released in March entitled ‘Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware’, researchers at Sophos found vulnerable versions of popular CMS applications are also a common link between many of compromised sites.

“It is imperative that site administrators upgrade and patch such applications regularly,” the researchers wrote. “The homogeneous nature of the content produced by these CMS systems makes it trivial for attackers to identify potential sites to compromise…Content scanning on the web server can also add significant protection against SEO attacks, providing detection for the scripts used in SEO kits and PHP backdoors. Such detections can give administrators an early heads up of a potential server compromise.”

As time goes on, attackers will likely move more and more of their content to hacked sites, Larsen predicted.

“The search engines will be fighting this battle for the foreseeable future,” he said.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved
Tags: SEOSymantec

Recent Posts

Is the Digital Transformation of Businesses Complete?

Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…

7 hours ago

Craig Wright Faces Contempt Claim Over Bitcoin Lawsuit

Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…

7 hours ago

OpenAI Adds ChatGPT Search Features

OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…

8 hours ago

Google Maps Steers Into Local Information With AI Chat

New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…

8 hours ago

Huawei Sees Sales Surge, But Profits Fall

US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…

9 hours ago

Apple Posts China Sales Decline, Ramping Pressure On AI Strategy

Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…

9 hours ago