How Online Scammers Poison Your Search Results
CREDIT: Raw Group/Shutterstock.com
Imagine the following scenario: A user is looking online for that perfect gift this holiday season. He's tried several different searches and, on one attempt, winds up on an online casino page after clicking on what claimed to be a link to a retail site.
Sound familiar? It should. Cybercriminals and online scammers are using the same search engine optimization techniques that legitimate retailers use to push their pages to the top of search results.
The practice is called "black hat SEO" or "SEO poisoning." The miscreants abuse the ways search engines index and rank sites to trick unsuspecting Web users into visiting malicious pages.
The goal of black hat SEO is to snare a user "for malicious purposes," especially when that user was looking for something else, said Patrik Runald, director of security research at Websense in San Diego.
Cybercriminals work hard to have their malicious sites indexed highly in search results returned for highly trending topics, Runald said.
That Christmas spirit
With the start of the official holiday season, cybercriminals are targeting shopping-related keywords such as "coupons" and "holiday sales."
When users search for those keywords, some of the top links on Google, Bing and other search engines may actually be sites hosting malware or rogue anti-virus software, selling counterfeit products, running survey scams or trying to extract people's personal or credit-card information.
There are many ways to poison search results. The most common method is to rig a "payload" Web page with hidden HTML keywords tied to a seasonal event or big news story. Recent topics have included the U.S. presidential election and hurricane flooding in New York.
At this time of the year, attackers tend to use top gift items or deep discounts on popular electronics items as bait, Runald said. For example, a site could promise "iPad Mini $99!" or embed "iPad Mini," "Apple," and "iPhone" in its title and keywords.
Many scammers still insert links to the payload site on websites with comment and form fields.
"Think of the millions of abandoned blogs that exist that still allow comments," Runald said.
Adding comments to sites is "still an effective way to manipulate search algorithms," but it isn't particularly a "fast, nor nimble" attack, Runald said.
Comment poisoning is generally saved for long-term campaigns taking a wide-net approach to poison a specific search.
Posting links on Twitter is also an increasingly popular SEO poisoning technique, as criminals can easily push out links to the rogue site. Since the links are usually hidden behind shortened URLs, users aren't always aware they are clicking on malicious sites until it is too late.
A more effective method is to link the hundreds, if not thousands, of websites under the criminal's control to the payload site, Runald said. The attacker may have obtained these sites as part of previous attacks, such as an effective mass injection campaign.
"Inserting a single line of code to each of these sites can point a search engine crawler to index the payload site rather quickly," Runald said.
Tools of the trade
SEO poisoning can be effective and criminals can get set up very quickly. Within hours after the earthquake and tsunami hit Japan in 2011, a search for "most recent earthquake in Japan" returned a host of websites claiming to have the latest news but were actually pushing fake anti-virus software.
The bad guys have developed various automated tools to monitor and find breaking news topics and trending search terms and then use the tool's control panel to modify the site content to exploit those terms.
They are also monitoring trending topics on Twitter to know what users are searching for and automatically try to contaminate search results for those search terms.
There are many simple programs available to automate the process of SEO poisoning, and new ones are being created every day. Thanks to these tools, attackers are able to manipulate legitimate indexing by search engines with just a few clicks, Runald said.
"Cybercriminals will take the least path of resistance, but they are only getting more creative," Runald said.
However, it is important to remember that many of the search engines, including Google and Bing, have improved their filtering capabilities and are able to detect and remove poisoned results more rapidly, Runald said.
Two years ago, 22.4 percent of popular trending terms from Google and Yahoo searches returned malicious results, according to Websense figures.
Websense is still analyzing the statistics to get the latest figures for this year, but Runald believes the number has dropped and that level of broad SEO poisoning has declined.
Of course, this just means the bad guys are just getting more creative about which search terms to go after. Runald predicted there will be more targeted SEO poisoning going after associations, industries, and people with common interests.
Attackers will also shift toward more esoteric terms such as "industrial control hardware" to set up watering-hole-style attacks, he said.
Watering-hole attacks often use SEO-poisoning tactics to lure victims to booby-trapped sites. Attackers identify specific websites that victims —for example, defense-industry contractors —are likely to visit and compromise those sites.
The attackers make sure the compromised sites are in the top results for relevant search terms and wait for the victims to come. When the victims to land on the page while surfing online, they are compromised.
"Waterhole attacks are on the rise and are a clear example of how the bad guys will continue to refine their tactics to steal data and attack networks worldwide," Runald said.
How to beat the bad guys
The bottom line is that Internet users need to be vigilant and stick with basic safe-surfing habits to avoid getting tricked by a poisoned result.
Users should make sure to have anti-virus software installed with the latest definitions, and that all updates and patches have been applied to the operating system and other software applications.
Users should also be leery of entering any personal data into a form field on a page they landed on after performing a search.
Instead, one should navigate directly to the page's main site by typing in the domain URL in the browser. If the form is legitimate, there will be a way to navigate to it from the main page.
The same goes for looking for sales. Users should search for online sales directly from the retailer's page instead of using a search engine.
Users should also never click on a link or allow downloads from unfamiliar sources. Verify URL addresses to make sure you are going after the right website.
When visiting a new website for the first time, if the site opens up a message box seeking permission to install a component or download an object, never click "OK," or "Yes."
In fact, when visiting that site, enable the secure browsing feature if the Web browser you are using supports it.
Even as search engines and security tools come up with new techniques to detect and flag poisoned results as malicious, the attackers will keep innovating.
"The potential payoff is too significant for the criminals to ignore," Runald said.