Links to malicious websites have frequently been used along with news headlines to provide an attractive lure to end users. The strategy is simple, and is quite effective due to its popularity. Most users can associate with recent news headlines, whether it be from a newsflash on TV, the radio, or simply talk at the water-cooler. Because of this, references to this content (in the form of links via e-mails or SEO campaigns) seem legitimate in nature, creating a false sense of security. Even worse, in the case of the latter - blackhat SEO campaigns - users are more likely to click on malicious links because it was their own action which queried the content. SEO attacks occur when blackhat methods are used to seed malicious links in top search results, often by creating many links and keywords through multiple domains. This proves effective since users are likely to click on links of the first set returned to them.
We always recommend not to follow unsolicited links before investigating and verifying both the identity of the sender and the intended destination; this is very common by attacks through e-mail. However, with blackhat SEO campaigns, the links are not unsolicited -- the user has queried content using their favorite search engine, and has been presented malicious links in return.
Today, these campaigns have become more sophisticated, as attackers are now automating which keywords they index, based off popular search results: Google Trends provides a public list of such keywords which are being leveraged for attack. In fact, looking at one such trend word ("annie le facebook"):
The first 6 of 10 results were infected links.
In this first set of 10, there were two separate campaigns/attacks, suggesting two separate organizations involved.
One infected link led to a fake video, which upon clicking, redirected to another site that pushed the file "flash-plugin_update.40014.exe". FortiGuard antivirus detects this as W32/PackFrauLoad.B - a rogue security software suite.
All roads lead to Rogue
On that note, fake security software has become immensely popular - and profitable. I recently blogged about an IRC bot, showing some of its C&C commands to download content from a third party server. It is remarkable that one such executable downloaded in that attack was precisely the same rogue security software (W32/PackFrauLoad.B) as in the SEO attack described above... Though hosted on a different server and obviously seeded through different vectors (MSN / IRC).
This highlights the widespread distribution of rogue security software, with more and more cyber criminals hopping on board trying their very own innovative attack to seed them, on behalf of the gang producing those. This is all fueled by incentives, of course - affiliate programs, which reward the "seeders" with a fraction of the cash made when victims fall for the scam and purchase the illegitimate security software.
How is a SEO attack implemented?
Figure 1 above shows the main component used by SEO blackhats to "game" search engines into displaying their malicious links in the top search results for a particular word. The links in blue (top left - based off similar trend words) point to the malicious link to be inserted in the top search results. The body is composed of headlines harvested through major news outlets based on the given keywords. Therefore, the "relevance" of the malicious link regarding the key word is increased. Indeed, from the perspective of the search engine, there is a page filled with lines relevant to the key word pointing to this link, so logically this link must be highly relevant to the topic defined by the keyword -- according to the engine, at least.
Of course, a large amount of such pages are needed to increase the relevance of the malicious link to the point it will be featured in the top search results for the keyword. Figure 3 below shows the results. The video flash plug-in link evoked above (Figure 2) is highlighted in orange, whereas various other malicious links (Figure 1) are highlighted in red. We are reporting all malicious activity we find to the appropriate contacts.
What's more, the first attack uses compromised, legitimate servers to host a PHP script which dynamically populates the SEO building pages (such as the one on Figure 1), based off the keywords. The servers I observed were all running Apache on Linux, and hosting not only the SEO building pages but also the malicious links they are pointing to; as a matter of fact, the address is the same for both. It's only the referral that determines which page is served: the malicious link for someone coming from the search results page of a search engine, and the SEO building one otherwise.
On a successful referral, these servers will redirect to three different servers, the last one being a site hosting yet another rogue security software variant. These servers, in respective routing order, are based in Moldova and Belize. FortiGuard antivirus proactively detected the last page, which pushed the rogue security variant for download, as JS/FakeAlert.B!tr.
These attacks are likely to continue as affiliate programs attract more illegitimate participants, who monetize services such as Google Trends. Yet another reminder to layer your security solution with the likes of webfiltering and antivirus.