While search engine optimization (SEO) is becoming one of the must do’s for companies that are trying to improve theirsite ranking in search engines like Google and Yahoo, it’s also increasingly becoming a trick of the trade for spammers and malware authors looking to drive traffic to their own infected websites or websites they might have hacked with their malware.
Like any owner of a website, criminals are interested in directing as much traffic as possible to their pages in order to distribute content and increase potential profits. Of course, in their case, the content that they are pushing is malware that aims to use their unsuspecting victim’s computer to send spam, launch denial of service attacks or steal valuable information from other users, such as online banking passwords and credit card numbers. The financial goals are nothing new, but the technique shows the growing sophistication of the spammer and malware author community.
Let’s take a look at how spammers and the malware authors utilize SEO to better target their attacks.
In order to improve their site rankings in search engines, spammers create websites that focus on one specific key word or search term. By using hundreds or thousands of these key words, the people behind these schemes can generate a large amount of traffic to their web pages. When unsuspecting users type in one of the search terms used by these parties into a search engine, they may find malicious websites mixed in with the legitimate pages in the search results. Some infected websites may even appear on the first page of returns.
Recently, researchers in our TRACElabs observed one spammer SEO operation that used millions of search terms covering almost any topic imaginable to influence as many searches as possible. For example, users entering seemingly innocuous search terms like “ski Alaska” were presented with malicious links appearing at the top of the search results page. Another malicious SEO operation used top search terms from Google’s Hot Trends service to help drive users to websites hosting malicious code. This was a particularly nefarious scheme, trying to leverage top searches in order to target potential victims.
Once users click through to the malicious websites found in these search results, they are often presented with messages urging them to download what appears to be legitimate antivirus software. They’re told that their computer has been infected with a virus, and that immediate action is necessary. Unfortunately, the pop-up instead downloads rogue antivirus software that does much more harm than good as well as fleecing the user for the licensing cost of the supposed anti-virus software.
These new SEO schemes add a new layer of complexity to the challenge of increasing employee vigilance around Web threats. While many users can spot malicious spam emails and know to steer clear of pornographic websites, most are unaware that their casual searches on Google could actually bring up several malicious websites, even on the first page of search results.
So how can users prevent themselves from falling prey to infected websites found in search results?
In some cases, the user may be able to identify a suspicious site by simply reading the URL. Some examples of malicious domain names are “peziueued.xorg.pl,” “bicoamigq.xorg.pl,” and “ubiuexiia.xorg.pl.” Domains that are out of the ordinary should be approached with extreme caution.
In addition, users should be extremely wary of downloading any executable files or browser plug-ins on the Web, especially from untrusted sources. Don’t believe a pop-up window if it says your computer is infected with malware. Instead, contact your network administrator.
At the end of the day, user education and acceptable use policy enforcement are still some of the best ways to protect both users and an enterprise’s network. Cybercriminals are only going get more sophisticated as time goes on, so users must keep themselves informed on the latest threats in order to protect themselves.
* Bradley Anstis is the director of technology strategy at Marshal8e6, a provider of e-mail and Web security technologies.
