Researchers at the University of Cambridge will present evidence of what they say is wide spread manipulation of search results that direct unwitting Web surfers to dodgy and illicit online pharmacy sites.
The research, which will be presented at the 20th USENIX Security Symposium in San Francisco, is the culmination of a nine month survey of Web search results for 218 drug-related queries. Fully one third of the search results collected in the survey was found to point back to one of 7,000 infected hosts, which in turn redirected visitors to just a few hundred pharmacy Web sites, according to a post by Tyler Moore, a postdoctoral fellow at the Center for Research on Computation and Society (CRCS) at Harvard University on the Cambridge University blog Light Blue Touchpaper.
Moore conducted the survey along with Nicolas Christin and Nektarios Leontiadis of Carnegie Mellon University. They found that those promoting the rogue pharmacies use a variety of well tested means to drive large amounts of relevant Web traffic to the bogus online pharmacies. Those strategies include black hat search engine optimization (SEO), and the use code injection attacks to leverage insecure, but legitimate Web sites, as feeders to the online pharmacies.
Vulnerable Web sites are first identified and compromised, with malicious code and black hat SEO content that makes it attractive to searches based on pharmaceutical keywords. Malicious code injected on the site is then used to sort out search engine crawlers from visitors following drug related searches and visitors following non-drug related searches. Visitors to the site who came by way of drug related searches get forwarded to the online pharmacy. All others land on the original, compromised Web site, Moore wrote.
The attacks are able to stay below the radar of the Web site owners, with the median duration of an infection found to be 47 days, and 16% of the 7,000 Web compromised Web sites the researchers observed never repaired, Moore writes.
The emphasis on search result poisoning is likely the byproduct of diminishing returns for traditional e-mail spam campaigns the researchers theorize. The researchers say that the findings suggest that the Obama administration’s strategy for securing the Internet and protecting consumers needs to address search engine redirection attacks, not just rogue domains and balky advertisements.