Sapsiwai - Fotolia
Security researchers have discovered a long-running, multi-vector black hat search engine optimisation (SEO) campaign that shows that cyber criminals are organised and professional.
The campaign – started before November 2015 and discovered in March 2016 – uses automated botnet-based attacks to compromise legitimate websites to boost the rankings of cyber criminals’ customer websites.
Black hat SEO methods typically exploit weaknesses in web infrastructure to promote the visibility and popularity of clients' websites by tricking search engine rankings.
“This campaign shows cyber crime is a serious and organised professional business that makes use of botnets, link farms and distributed, co-ordinated activities to provide SEO services to paying customers,” said Amichai Shulman, chief technology officer at Imperva.
“If organisations want to fight cyber crime, they need to get serious and they need to get professional about it – because their adversaries are professional and very serious about their industry,” he told Computer Weekly.
Researchers at the Imperva Defense Center discovered the cyber criminal SEO campaign after noticing Imperva’s systems were detecting and blocking attempts to compromise customer sites.
They found that thousands of websites had been targeted by botnet-driven SQL injection, HTML injection, cross-site scripting (XSS) and comment spam attacks to promote mainly illegal web commerce sites.
Read more about web application security
- CISOs are becoming more concerned about web application security, but there is still a long way to go, says Owasp.
- Expert Michael Cobb discusses numerous open-source and low-cost web application security testing options for enterprises on a budget.
- Does a web application security assessment termed 'compliance-ready' seem too good to be true? Learn its role in an enterprise compliance programme.
- Nearly half of all web application cyber attack campaigns target retail applications, shows a study from security firm Imperva.
Hackers exploit botnets for SEO
While studying the black hat SEO campaign for a month, Imperva researchers saw more than 700 internet protocol (IP) addresses used by botnets to launch automated SQL injection and HTML link injection attacks, with over 800,000 malicious HTTP requests recorded.
The research showed that hackers are exploiting thousands of websites to illegally optimise and promote porn sites and online pharmacies, and that the use of automated tools was not sporadic use by an individual, but a well-run outfit at work with plenty of infrastructure in place.
In SEO, one of the significant parameters of the ranking algorithm is how many sites contain links to the website, and how highly those sites are ranked.
By targeting legitimate websites and injecting links into web pages invisible to visitors – but visible to search engines indexing the pages – the cyber criminals boost the search engine rankings of their customers’ sites.
The researchers found that, while some of the links referenced the promoted sites directly, others referenced “link farms”. A link farm is a set of web pages – such as blog posts – created with the sole aim of linking to a target page in an attempt to improve the search engine ranking of that page.
Over a relatively short period the promoted sites gain high ranking on the target keywords, causing them to appear among the top results when searched online.
Black hat SEO tarnishes sites
Although the SQL injection attacks are not aimed at harming the sites directly, they typically affect targeted sites in three ways, said Shulman.
“Once it becomes obvious that a site is part of an illegitimate SEO campaign, its brand reputation is damaged and its own search engine ranking is lowered," he said.
“Second, the SQL injection attacks sometimes damage the targeted web application, affecting it either visually or functionally, which not only affects the website’s performance and potentially displays links to porn sites and the like, but also opens the site up to more serious threats.
“And third, once the website has been compromised for use in the SEO campaign, the attackers can also use that compromise to steal information for other criminals uses.”
However, Shulman said mitigating the effects of these black-hat SEO tactics is simple, if organisations take the threat seriously.
“Organisations that have web application firewalls (WAFs) in place that can protect against the top ten Open Web Application Security Project (Owasp) threats will not be affected,” he said, adding that WAFs with integrated IP reputation-based blocking is the best way to stay protected against illegal web commerce.
The research report concluded that botnet-based coordinated SEO campaigns serve as another reminder that web application security cannot be ignored and needs sophisticated tools for an effective defense against sophisticated attacks.