Jimmy Kuo, Principal AntiVirus Researcher writes on the Microsoft Malware Protection Center blog:
Often you read about how, during major news events, the bad guys have commandeered the search engines so if you go looking for more information about the news event, you end up at a page that’s serving you some malware nowadays -- usually some kind of fake antivirus program. But how did the bad guys fake out the search engines to get their sites so high in search to get people to click on them? Let me explain, using a spamming shoe seller as an example of the technique.
First, I have a Twitter account through which I tweet security related news. In order to find such news items, I have alerts set up to inform me of such news, which I cull for something interesting. One such alert was this:
The story looks real. It’s a blog and it’s about how employees of merchants read the details off a credit card to make a duplicate card and make use of it. The only thing strange would be the reference to a name brand sneaker.
But when you go to read the article, it appears like this:
The origin of the article is unknown as searches on the Internet are crowded out by other cases of this article being used for SEO poisoning in favor of other sites.
What you notice though (magnified above) is that sprinkled into this version of the article are numerous links to a site selling shoes. (You can see part of the URL in the bottom left of the screen capture.)
So, how does SEO work?
Online marketers have a financial motivation to getting their wares before your eyes. One of the best ways today is to get their site high up on the list of sites you would encounter if you were to search for an item that they sell. So, they learn what it takes to score high in the search engine scoring formula. The less ethical ones will even, as you see, try to get high up on the list of search results by hijacking popular topics that have nothing to do with whatever they’re selling.
What we’ve seen in this example:
- Starting with a topic that has high interest: Credit card fraud. Their article will get picked up and read, raising the value of such pages. (And unfortunately, my clicking and reading their page raises their value.)
- On that page, there are links to their websites that sell their shoes. Since, this page is so interesting, and it points a number of times to their sales page, that sales page must also be very interesting, or so think the search engines.
- People who search for Nikes are also likely to search for Pumas, and so with both in context, this page gets even more interesting.
And the result of all this is, the page that sells their shoes gets a good score.
What happens now when you search for “puma shoes”?
First result shown by many popular search engines is the set of sponsored sites, companies that have paid the search engine to be listed first. Then comes the official website for Puma. And top amongst the rest? There it is! The site involved in the SEO I’ve just described. (The result above was captured early morning, July 8, 2010.) On another search engine, first and second were the same (as expected) and this site was second among the rest.
I tried the same search using Bing and found the poisoned result relegated all the way to page 6. While I did not work with the Bing team in this particular situation, we do cooperate with them and inform them of any cases where we discover malware being hosted so they don’t offer those sites to their customers, just as we cooperate with the SmartScreen folks to help Internet Explorer block malware sites.
The SEO example I’ve just shown you is not one that leads to malware, but the technique is the same. In order to capture the highest rankings for current event topics, the sprinkling of words would be the likely phrases being used to search for the latest news, which you can also happen to find from the search engine trends. And so, effectively, SEO of current events terminology is accomplished the same way.
One final note for the above site. The owner uses a fake US address and has a phone number registered for the site. The phone number is in Mexico.
-- Jimmy Kuo