Google web search BHSEO campaigns are still a threat

SECURITY RESEARCHERS from GFI Software have identified a black hat search engine optimization (BHSEO) attack that uses on-the-fly rogue content generation techniques to poison search results for 9/11 related terms.

As a result of Google's efforts to detect and block such attacks quicker during the past six months, BHSEO campaigns have moved away from Google web search to Google Images and other search services.

Nevertheless, this attack managed to push malicious links at the top of search results for terms like "wtc attack video" or "attack world trade center," mainly because of the techniques it used.

"The content for SEO poisioning can be generated 'on-the-fly'. To explain further, the owner of this SEO poisoning system can utilize their network of hacked domains to quickly generate any content desired," the GFI experts said.

"By simply passing a search criteria to the url 'shangpalace(dot)com(dot)vn/', the 'SEO pack' generates relevant content based on the search term," they explained.

BHSEO attacks leverage the search ranking of legitimate web sites. Hackers generate rogue pages on hacked domains and fill them with content matching the search topics they wish to target.

These pages are then indexed by Google and more compromised web sites are forced to link to them in order to artificially increase their search standing. The goal is to push them as high as possible in search results, preferably on the first page.

When real users click on the rogue links they get redirected to third-party landing pages that contain malicious code. In this particular attack, the landing page hosted a Blackhole Exploit Kit installation.

This drive-by download toolkit targets vulnerabilities in outdated browser plug-ins like Java, Adobe Reader or Flash Player. If the exploit is successful, a trojan is downloaded and installed on the victim's computer.

While users can protect themselves from exploits by keeping their applications and operating systems up to date, BHSEO attacks are harder block or detect. One proactive measure is to use a browser extension that hides the HTTP referrer.

Most BHSEO pages target only visitors that come from a list of predefined web sites, usually search engines. Everyone else is redirected to non-malicious content. This attack shows that Google search BHSEO campaigns are not a thing of the past and that determined cyber criminals can always find ways to beat malware detection algorithms. µ