With the wealth of information we have published concerning blackhat SEO, hopefully the bulk of Naked Security readers are more than familiar with the perils of searching for what may be considered ‘hot’ keywords.
Yes, that’s right readers. Anyone keen to find leaked videos of Miley Cyrus, pictures of Jennifer Lopez or Kim Kardashian or investigate ‘if Justin Bieber really is black’ is just asking for trouble. (Actual search terms extracted from data received whilst writing this post.)
As we revealed last year, it is straightforward for the bad guys to keep up with hot, trending items, thanks to services such as Google Trends. However, it is important to remember that this is not the end of the story. SEO poisoning is not limited to just the hot or risque topics.
Back in October 2009, we wrote about how the attackers were using topics of an educational theme, designed to trap students and teachers searching for information and resources. These very same subtle tactics are still working today.
As it happens, our own product line has reached the heady heights of being SEO-worthy.
Yesterday afternoon I noticed a poisoned term which made me chuckle. Incoming data revealed a Mal/SEORed-A detection on an SEO pages constructed by one of the recent kits we have been tracking. Looking at the URL reveals the topic the user was searching for:
The ‘WS1000 appliance’ search term refers to one of the Sophos web appliance models! So a user searching for information on our web appliances was thankfully sitting behind one of them, enabling us to thwart the attack by blocking the initial redirect as Mal/SEORed-A. Were they not already a Sophos customer, they would have been subjected to the usual scareware onslaught, courtesy of a redirect to:
Irony aside, this simply reflects how effective blackhat SEO attacks actually are. This is evident from the chart below which summarises the top malware detections we have blocked on our customer web appliances (May 20th – May 25th). As you can see, blackhat SEO accounts for over 30% of all detections.
So what can users do to protect themselves? Clearly, being sensible or careful with what you search for is no use.
- Users need to take care to review the links provided by the search engines, and think before they click.
- Ensure the filtering options provided by your chosen search engine are enabled.
- Most importantly, ensure you have layered protection in place, with effective content scanning and URL filtering focused on blocking such attacks at multiple levels.
Of course, there are other tricks and tools users may use (for example, browser plug-ins that mask the HTTP referrer), but the above tips provide some simple, common sense measures to help ensure your networks are better defended against SEO driven attacks.
Leave a reply