Evolution of SEO Poisoning

In previous blogs we have discussed how malware can exploit a search engine’s indexing features in order to spread malicious content. Recently we have observed a massive compromise of websites under the .ch and .nl top-level domains, aimed at performing a massive search engine optimization (SEO) attack to spread fake antivirus applications.
To keep track of pages on the Internet, search engines use automated web scanners, called crawlers or spiders. Their purpose is to find every possible Web page on the net, read its content, and then index it for future user searches. Attackers often try to exploit this feature in order to trick a search engine into associating a malicious Web page with very common search terms. This attack will cause the malicious Web page to appear among the search results in the search engine’s results page, massively increasing the chances of users visiting it.
You can watch the following video for a demonstration of the attack and further details:

The script seen in the video uses some clever tactics to recognize a crawler’s activity versus that of a user, and to respond only to such kind of requests. Any other request is ignored and the script will generate a “page not found” error, in order (continue reading...)