Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response

Iframes, Please Make Way for SEO Poisoning

Created: 12 Nov 2009 19:48:52 GMT • Updated: 23 Jan 2014 18:31:22 GMT
Nishant Doshi's picture
0 0 Votes
Login to vote

If a hacker managed to hack into your blog or website, what could they possibly do? They could insert malicious iframes or JavaScript code into your Web pages. Probably even attempt to steal some data. But most likely they would "search engine optimize" your website. Can this be true? Well, let me explain more.

Search engine optimization (SEO) is a collection of techniques used to achieve higher search rankings for a given website. "Black hat SEO" is the method of using unethical SEO techniques in order to obtain a higher search ranking. These techniques include things like keyword stuffing, cloaking, and link farming, which are used to "game" the search engine algorithms.

So what does a hacker gain from all this? Why would a hacker help you achieve a higher search engine ranking? Quite the contrary; he is helping himself.

What the hacker actually does is add numerous additional Web pages to your website. Let’s call each of these additional pages "fake" Web pages. Each fake page is based on a popular search topic and has content related to that topic. Most often the content is stolen from legitimate sites and feeds. The hacker also uses topic-related keywords in the URLs of these fake pages. Each of these fake Web pages is added without the website owner’s knowledge or consent. For example, if you own the site example.com, the hacker might add virtual pages such as:

•    example.com/?ohio-voting-results
•    example.com/?atlanta-mayoral-race-results
•    example.com/?dancing-with-the-stars
•    example.com/?nicole-narain

All of these fake pages would then redirect to content stolen from some reputable site related to the keyword.

Screen shot 2009-11-12 at 7.32.40 PM.png

Now, if a legitimate user was to search for one of these keywords, he or she would encounter a reference to this fake Web page in the search engine results. The keywords in the URL, the keywords in the title, and the relevant content would all cause some search engine algorithms to place this Web page high in the search engine results. In other words, this fake Web page has "gamed" the search engine algorithm into believing that that it has relevant content, with respect to what is being searched for.

Screen shot 2009-11-12 at 7.33.13 PM.png

But what does the hacker gain from getting a legitimate user to visit this fake Web page? After all, the visitor would simply be reading relevant information based on what was searched for. Well, not really. The Web server’s configuration file is changed by the hacker to recognize that the user is visiting this fake page after following a link from a search engine result page, and is then redirected to a fake antivirus or misleading application Web page, which is different from what the search engine spider actually sees. This is known as cloaking.

Screen shot 2009-11-12 at 7.33.57 PM.png

Cloaking is a black hat SEO technique in which the content presented to the search engine spider is different to that presented to the user’s browser. Search-engine crawlers spider through links in order to find and index Web pages. So when the search engine spider visits this page, it is presented with relevant information that is related to the search topic theme. In fact, most often the relevant keywords in the URL, title, and the content gives this fake Web page a higher ranking in the search engine results. However, when the user visits this fake page from the search engine result page he or she will be redirected to a fake scan Web page.
 
There are many different ways to achieve cloaking. One popular method is to look at the User-Agent string in the HTTP request. Search engine crawlers use specific strings in the user-agent field of the HTTP header. Using this, the Web server can serve a different page to the crawler. The referrer field can be used to ascertain if the user is coming from a search engine result page, and in that case redirect them to a fake scan website serving misleading applications.

Screen shot 2009-11-12 at 7.34.09 PM.png 

So how do these websites get picked up by the search engine crawlers? There are several ways to do this. One can manually submit a website to search engine crawlers. Also, crawlers can spider through links, so a reference link on one website can get your website crawled and indexed. Additionally, many crawlers use sitemaps provided by the website owners in order to find all the pages on the website. Search engine advertising programs can also be used for getting indexed.

Search engines attribute importance to links to a website that exist on other websites. These links are called "backlinks" and indicate the popularity of a website. Backlinks will also get a website crawled and indexed as well as increase the page rank.

A "link farm" is a group of websites that have links to other websites in that group. Apart from other factors that contribute to a website gaining a good ranking, backlinks play a vital role—and a link farm provides a website with many back links. In fact, there are services such as Link Farm Evolution and SENuke available online, which allow for the creation of thousands of backlinks for a website.

Recently we came across a link farm for a group of fake pages that were serving up misleading applications. The link farm allows these fake pages to be indexed and therefore increases their page rankings.  

Screen shot 2009-11-12 at 7.34.49 PM.png

Shown above is a snapshot of the link farm in question. You can see that each link is related to a recent real-world event, and each link ends with a keyword related to that event. All of these pages were created on legitimate websites that were hacked to serve these virtual pages.

Although the <ul display:style=”none” > tag would prevent these links from being visible to the user, they are still visible to search engines. In addition, a normal user may never see these links, even in the HTML source, because this code is only served if the request was made by a search engine crawler. Shown below is a screenshot of another similar campaign:

Screen shot 2009-11-12 at 7.35.06 PM.png 

So, you have now read how black hat SEO techniques are effectively employed to redirect victims to fake antivirus websites from search engine results. The following diagram gives a good visual summary of the typical actions that occur:

Screen shot 2009-11-12 at 7.35.24 PM.png

 
1.    The hacker hacks a site to serve legitimate content to a search spider and malicious content to users.
2.    The hacker creates a link farm to the hacked site to be picked up by a search spider.
3.    A search spider crawls the link farm.
4.    The hacked site appears in the search results.
5.    A user clicks on the search result link leading to the hacked site, which redirects to the malicious page.

--------------------------------

For more information on SEO poisoning and misleading (rogue) applications, please see the Symantec Report on Rogue Security Software.