I’ve been doing some research into the current state of SEP (search engine poisoning) attacks lately — in fact, I meant to do a post about Halloween-themed SEP last month, but had too much travel going on. So, since we’re approaching the Thanksgiving holiday weekend, and since I’ve done some posts in previous years on SEP attacks centered on this holiday season, I thought I would keep the tradition going.
Thanksgiving is a food-centric holiday, and so there are link-farms out there with recipe-themed search bait; but there are only so many ways to cook a turkey, which means the Bad Guys usually focus their efforts on a broader target: the major retail sales days known as “Black Friday” and “Cyber Monday”.
One of the cool tools that we have in Blue Coat Labs is a back-tracer that we used in constructing the data on the most common attack vectors used by the big malnets that we highlighted in our mid-year report. One of the side-benefits of this tool is that when it hits a Search Engine as the probable starting point of an attack, it tries to parse out the search terms that the user had typed in. It saves these in a nice little database table, which makes part of my SEP research easier.
Looking at the sample search terms from the weekend, it seems that there are already a lot of users interested in getting a jump on the “Cyber Monday” sales, as several users were blocked from going to malicious sites via paths starting with such search terms as “cyber monday”, “cyber monday deals”, and “best cyber monday deals 2011”.
Interestingly, when I tried some searches in several leading search engines, I found that the SEP attackers were having trouble cutting through all of the “clutter” surrounding this topic. The top search results are filled with a variety of junk sites, with names like:
mycybermondaydeals.net, dealscybermonday.org, cybermonday2011.com, cybermondayonlinedeals.com, mycybermondaydeals.org, cybermonday2011s.com, cybermonday2011.tv, cybermondaybestdeals.us, bestcybermondaydeals.us, cybermondayonlinedeals.com, bestcybermonday.us, cybermondaydealslaptops.us, bestcybermondaydeals2011.org, bestcybermondaydeals2011.com, cybermondaydeals-2011.com, bestblackfridaycybermonday.blogspot.com and so on…
These are what I would characterize as “gray hat SEO” — that is, sites that are built for only one purpose (to show high up in Google), but are not generally malicious. They all TALK about what great deals are out there, with phrases like “you can save up to 90% on [fill in the blank] on Cyber Monday!” and discuss the best places to find those deals (naming sites like Amazon.com and Walmart.com), but they don’t actually have any deals to advertise — probably since Cyber Monday isn’t here yet. (Some of them do link to items for sale on Amazon, presumably to garner affiliate commissions if you buy an item after following a link from their site, but those aren’t Cyber Monday or Black Friday deals.)
In poking around, I did find one poor link-farmer trying to get his site to show up in a classic SEP attack (via a throwaway site on a free blog host). He’d managed to get an image to show up deep in the first page of results from a Google image search, and it made me smile:
First, I smiled because it’s cool that our Cloud Security Service (which I was using at the time) automatically blocked the link-farm site as Suspicious, but second, I smiled at the caveat “Some offers available online only” — after all, that’s the whole point of “Cyber Monday”: you’re shopping on-line for special deals. (I’m pretty sure the link-farmer didn’t make this image himself, but I still thought it was funny.)
Still, in spite of all the competition from the gray hat SEO clutter, the black hats have succeeded in enticing at least some people into finding and clicking on their links, as shown by our logs, so maybe you should advise your family and friends to just go directly to Amazon.com, or Walmart.com, or wherever, and search for deals there, instead of trying to navigate to spectacular deals via a search engine…
Leave a reply