Researchers have found a new black hat SEO campaign that is being used to redirect users to links that will install the Black Hole exploit kit. The attack is based on searches for, of all things, Shia Labeouf, and leads users through a forest of redirects before plopping them on the compromised site.
The new SEO poisoning campaign is just the latest twist on what has become the attacker’s best friend. It all hinges on being able to guess correctly what terms users are going to be searching for most often and then finding a way to either compromise the sites that those results point users to or insert malicious ads alongside the search results on Google, Bing and other search engines. Many times these campaigns are designed to point users to scareware sites or used as part of click fraud operations.
But in this case, researchers at Websense discovered that attackers have compromised a fan site for Labeouf and are using it to infect visitors’ machines with the Black Hole exploit kit. Black Hole is a somewhat recent addition to the rogues’ gallery of exploit packs, but it’s currently being bought and sold by various attacker crews all over the Web. It’s also been found being distributed for free in some places, so it’s available to newbies as well.
In the current SEO poisoning campaign, once visitors click on a specific link in Google search results related to Labeouf, they’re bounced through a long series of browser redirects that eventually leads to the compromised site. The site uses an injected iFrame in order to exploit the user’s browser and install the exploit kit. But there’s a lot of weirdness going on in the background, as well.
“One thing to notice is that looking at the above DOM code, there is
no object or applet tags that are shown and require an A.class. Good
thing we were watching the network connections and JavaScript hooked
events. This is a reminder that a Web page with the use of dynamic
client-scripting like JavaScript can continually change.The finalized
DOM does not always represent the DOM at all stages of the document,
changing due to JavaScript functions being called,” Stephan Chenette, principal security researcher at Websense said in his analysis of the attack.
“What happened is that during the deobfuscation phase, the
algorithm above created a series of document nodes. One of them was most
certainly an object or applet which required A.class. It then did some
other checks, for example browser types, using functions to verify over
the user agent which browser was actually running and then redirecting
the browser based on the result to another redirector.”
Blackhat SEO or SEO poisoning is a key part of many Web-based attack campaigns and often is used as a way to direct large numbers of victims to compromised sites. In some cases it’s part of click-fraud schemes in which criminals try to force users to click on specious ads as a way to generate revenue. In other cases it’s used as a way to drive victims to malware attack sites or phishing sites. Either way, it’s usually quite difficult for users to distinguish malicious links from legitimate ones, especially as attackers change sites often.