Having mastered the art of poisoning search engine results for .com sites, attackers are now turning their attention to .edu sites, linking their keyword campaigns to educational institutions as a way of lending their malicious sites more credence in the eyes of Google.
The goal of these attacks is the same as those targeting commercial sites: to elevate the rank of the malicious sites so that they become more attractive to users searching for information on a given topic. Robert Hansen, a security researcher and CEO of SecTheory, has been investigating the SEO poisoning campaigns, and what he found was not very heartening.
By getting .edu (which ranks higher than .com for instance) to link to a site with the right keywords, Google is tricked into thinking the site is of higher value. Yes, Google’s algorithm really is that simple to get around, which is why there is a lot of garbage in their index now. It just took a while for the bad guys to get a large enough mass of hacked sites.
So I started messing around with search strings that would help me identify highly probably hacked sites and poof – within a few minutes I had dozens upon dozens of high value compromises:
inurl:.edu viagra
inurl:.edu cialis
inurl:.edu phentermine
The SEO poisoning campaigns against .com sites have been very successful, with attackers and spammers relying on the technique to draw victims to phishing sites and other undesirable destinations. Such attacks can be very difficult to recognize and avoid, perhaps even more so with the .edu campaign.
Many colleges and research institutions have legitimate connections to some of the keywords that spammers and phishers favor–such as medical and pharmaceutical terms–making it even more problematic for victims.