Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

When Link Farmers Attack: Shotgun Seeding Poisons Your Searches

Created: 30 Nov 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:44:06 GMT
Vikram Thakur's picture
0 0 Votes
Login to vote

A few days ago we posted a blog entryabout how some pharmaceutical sites were using link farms and spammingin their marketing campaign. The hackers were injecting links intocompromised sites, which raised the marketed sites in search engineresults. We followed up with some of the owners and administrators ofsites that were being used in this spam campaign and found mostadministrators cleaning up the infections and closing holes in theirWeb applications promptly.

Ironically, after we posted the previous article the spammers beganto use text from our blog to redirect traffic to their sites. Thisshotgun seeding technique allows the link farmers to rapidly manipulatethe metadata and skew search results. Here is a screenshot of what wegot by searching for one specific line from our previous blog entry.

Click image for larger version

Note how searching on our blog text returns search results that takeyou to a pharmaceutical website. The people responsible for this searchengine poisoning will pick up any text relevant to their marketingscheme and use it to transfer traffic to their sites. All the linksabove were referrals. The sites don't exist but simply perform aserver-side redirect to a pharmaceutical site when a visitor tries togo to it.

So, even if you aren’t searching for the latest prescription drug,you could find yourself redirected to one of these pharmaceuticalsites. You could be searching for Christmas gifts via a search engine,and suddenly find yourself on some offensive Web site. Worse, you couldbe redirected to sites hosting malicious programs looking forvulnerable computers to compromise and/or possibly become a part of abotnet.

While sifting through such compromised pages we found sites not onlyleading to pharmaceutical sites, but also to pornography and maliciousprograms.

Here is a screenshot of a University-hosted site which has a Wiki allowing unauthenticated posting of comments.

Click image for larger version

In one case the link led us to a site asking us to download anActiveX component that, as expected, turned out to be a variant ofTrojan.Zlob. We've informed the site owner as well.


Considering the amount of publicity this activity has gotten within thepast week, our friends at Google and Microsoft have been workingdiligently to remove offending results from their cache. The cat andmouse game continues. In addition, Web site administrators need toensure they’ve upgraded their Web applications to patch any securityvulnerabilities. These types of attacks compiled with the malicious advertisements randomly popping up on popular sites are not a good omen for the online shopper this holiday season.

Word of caution: Make sure your computer’s security suite is runningwith updated definitions. Keep computers updated with the latestpatches, don't click on every link that shows up in your email, anddon't give your personal information or financial information to anyonethat you didn't initiate the transaction with.