Threat Research

Google Trends SEO Continues

By Derek Manky | September 16, 2009

Links to malicious websites have frequently been used along with news headlines to provide an attractive lure to end users. The strategy is simple, and is quite effective due to its popularity. Most users can associate with recent news headlines, whether it be from a newsflash on TV, the radio, or simply talk at the water-cooler. Because of this, references to this content (in the form of links via e-mails or SEO campaigns) seem legitimate in nature, creating a false sense of security. Even worse, in the case of the latter - blackhat SEO campaigns - users are more likely to click on malicious links because it was their own action which queried the content. SEO attacks occur when blackhat methods are used to seed malicious links in top search results, often by creating many links and keywords through multiple domains. This proves effective since users are likely to click on links of the first set returned to them.

We always recommend not to follow unsolicited links before investigating and verifying both the identity of the sender and the intended destination; this is very common by attacks through e-mail. However, with blackhat SEO campaigns, the links are not unsolicited -- the user has queried content using their favorite search engine, and has been presented malicious links in return.

Today, these campaigns have become more sophisticated, as attackers are now automating which keywords they index, based off popular search results: Google Trends provides a public list of such keywords which are being leveraged for attack. In fact, looking at one such trend word ("annie le facebook"):

  • The first 6 of 10 results were infected links.

  • In this first set of 10, there were two separate campaigns/attacks, suggesting two separate organizations involved.

One infected link led to a fake video, which upon clicking, redirected to another site that pushed the file "flash-plugin_update.40014.exe". FortiGuard antivirus detects this as W32/PackFrauLoad.B - a rogue security software suite.

All roads lead to Rogue

On that note, fake security software has become immensely popular - and profitable. I recently blogged about an IRC bot, showing some of its C&C commands to download content from a third party server. It is remarkable that one such executable downloaded in that attack was precisely the same rogue security software (W32/PackFrauLoad.B) as in the SEO attack described above... Though hosted on a different server and obviously seeded through different vectors (MSN / IRC).

This highlights the widespread distribution of rogue security software, with more and more cyber criminals hopping on board trying their very own innovative attack to seed them, on behalf of the gang producing those. This is all fueled by incentives, of course - affiliate programs, which reward the "seeders" with a fraction of the cash made when victims fall for the scam and purchase the illegitimate security software.

How is a SEO attack implemented?

Figure 1: SEO campaign leveraging Annie Le's homicideFigure 1: SEO campaign leveraging Annie Le's homicide

Figure 1 above shows the main component used by SEO blackhats to "game" search engines into displaying their malicious links in the top search results for a particular word. The links in blue (top left - based off similar trend words) point to the malicious link to be inserted in the top search results. The body is composed of headlines harvested through major news outlets based on the given keywords. Therefore, the "relevance" of the malicious link regarding the key word is increased. Indeed, from the perspective of the search engine, there is a page filled with lines relevant to the key word pointing to this link, so logically this link must be highly relevant to the topic defined by the keyword -- according to the engine, at least.

Figure 2: Second referenced SEO attack_Figure 2: Second referenced SEO attack_

Of course, a large amount of such pages are needed to increase the relevance of the malicious link to the point it will be featured in the top search results for the keyword. Figure 3 below shows the results. The video flash plug-in link evoked above (Figure 2) is highlighted in orange, whereas various other malicious links (Figure 1) are highlighted in red. We are reporting all malicious activity we find to the appropriate contacts.

Figure 3: SEO attacks in action, indexed in top 10 set_Figure 3: SEO attacks in action, indexed in top 10 set_

Dynamic SEO

What's more, the first attack uses compromised, legitimate servers to host a PHP script which dynamically populates the SEO building pages (such as the one on Figure 1), based off the keywords. The servers I observed were all running Apache on Linux, and hosting not only the SEO building pages but also the malicious links they are pointing to; as a matter of fact, the address is the same for both. It's only the referral that determines which page is served: the malicious link for someone coming from the search results page of a search engine, and the SEO building one otherwise.

On a successful referral, these servers will redirect to three different servers, the last one being a site hosting yet another rogue security software variant. These servers, in respective routing order, are based in Moldova and Belize. FortiGuard antivirus proactively detected the last page, which pushed the rogue security variant for download, as JS/FakeAlert.B!tr.

Scare tactics

This attack of course is not limited to Annie Le -- all other hot trendwords, including actor Patrick Swayze's death will bring up the same domains seeded within the first set of search results. This highlights the effectiveness of the dynamic, SEO page building process mentioned above. Figure 4 below shows the last server (located in Belize) showing its scare tactics (through javascript) before pushing the fake software.

Figure 4: Scareware tactics through javascript_Figure 4: Scareware tactics through javascript_

These attacks are likely to continue as affiliate programs attract more illegitimate participants, who monetize services such as Google Trends. Yet another reminder to layer your security solution with the likes of webfiltering and antivirus.

Update (September 17, 2009): This attack still continues, taking advantage of the latest "hottrends" category. For example, as of writing, the current #1 Google Trend word in this category belongs to "raymond clark iii facebook". This is following on the recent arrest in the discussed Annie Le case (and SEO campaign). Searching for this keyword on Google will present an infected domain ( within the top 5 results -- which ultimately leads to the same chain of hops, and to the fake javascript scan attack mentioned in this post (Figure 4). The dynamic page building seems to be working quite effectively - be careful out there.

Join the Discussion