Feeds

Security researchers scrutinise search engine poisonings

The scareware slinger's cookbook

Internet Security Threat Report 2014

The techniques used by unloveable rogues who automate search engine manipulation attacks themed around breaking news to sling scareware have been unpicked by new research from Sophos.

A research paper published on Wednesday by Sophos researchers Fraser Howard and Onur Komili lifts the lid on the search engine optimisation techniques used by hackers to hook surfers into their scams.

Attackers use automated kits to apply blackhat SEO methods – cynically exploiting tragic or salacious breaking news stories – to subvert searches in order to point surfers towards scareware download portals or other scams.

The deaths of celebrities such as Michael Jackson, the release of Google Wave and the marital strife of Sandra Bullock are among the topics which have been used as themes for these attacks in the past. Just about any high-profile breaking news story is fodder for the crooks, so it came as little surprise that the deaths of 39 people in the Moscow metro suicide bombings on Monday have also become themes for the latest run of black-hat SEO techniques.

Cybercrooks behind the scams don't simply sit watching Google Trends or trending topics on Twitter, however. The process is increasingly becoming automated.

Blackhat SEO kits are used to create and manage an search engine manipulation attack. These kits generate manipulated pages stuffed with erroneous keywords, designed to appear prominently in search engine results but which misdirect users to rogue sites.

SEO kits also create networks of thousands of cross­linked pages containing this search­-friendly content on hot­ trending topics, hosted on compromised, legitimate websites. Often these kits will be automatically updated with information about the latest breaking news stories by consulting resources such as Google Trends.

These blackhat tactics are commonly used to point surfers searching for information about popular subjects towards scareware portals that inundate users with bogus security alerts in a bid to trick them into paying for a bogus security product, or installing further malicious code.

Search engine poisoning attacks rely on the need to feed content to search engine crawlers (for subsequent indexing), while at the same time redirecting users who land on the webpage to a malicious site. Most blackhat SEO kits can spot the difference between a search engine visiting their site to crawl for content, a surfer visiting the site via a search engine link, and a computer user visiting the site directly.

Often exploits are redirections that are only triggered when a surfer visits the site via a search engine. The tactic is designed to help keep the hacker misuse of often legitimate sites under the radar of site admins.

Sophos reckons URL filtering and content inspections offer effective protection for businesses against SEO attacks. "Malware distribution through SEO may sound hard to block because of the apparent authenticity of the SEO web pages but there are some effective measures that companies can take to protect themselves," Howard explains.

"By adding detection for the payload, as well as diligent monitoring and filtering in-bound content, network managers can thwart an attack before it reaches the user. Providing detection for all relevant components provides the most effective protection.”

The research paper, Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware, can be found here (pdf). ®

Remote control for virtualized desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.