A SearchMidmarketSecurity.com reader asks our resident security expert Tom Chmielarski, "If SEO poisoning corrupts legitimate websites and creates malicious ones, how can attacks be stopped?"
Excellent question! For starters, let's define SEO.
Search engine optimization, or SEO, is the technique of designing a website to improve its ranking in search engines. This is a normal operational concern for websites and not inherently malicious; if a website operator wants to attract more visitors, he or she will want the search engines to steer people to the site. Microsoft's search engine Bing, for example, has guides on how to improve the indexing of a site. Google offers similar instructions, which include tips on using title tags and creating unique, accurate page titles. Said another way, search engine optimization (SEO) is the art of making the search engine recommend your site as relevant to a user's search.
Now then, let's consider this from the view of a malicious person (or group) who wants others to visit a Web server that will attempt to compromise the browsers of visitors. Just like a commercial or ad-driven website, the malicious site's operator needs to get the search engine to deliver some users.
This is where search engine optimization comes in to play; the malicious website is created with wording that will increase its search engine ranking. Unlike a "normal" website, however, that wants to attract people with a specific interest -- an online sports site, for example, needs readers interested in sports -- a malicious website operator wants anyone and can change the focus to increase its visitors.
We've all heard of a news story "going viral," or an interesting, odd, funny or disgusting video clip gaining popularity quickly. People will hear about it and search for it. This is an ideal situation for a malicious website's operator who can then quickly build a website that is optimized for the types of searches people are likely to do to find that viral item. People visit the site and, if they have a vulnerable browser or plug-in, their computer is compromised.
That website can be loaded with attacks: drive-by exploits, malicious ActiveX controls or malicious PDF files, to name a few. These malicious sites might appear legitimate at a glance or consist entirely of copied content from a well-recognized site. The control software for these malicious sites may even monitor various websites to collect news and search trends to determine what sort of pages need to be created to increase visitors.
Let's consider the ultimate goal of these sites: making money. The malware installed will typically add the infected system to a botnet for long-term command and control of that asset. That computer can then be used to send spam, transmit attacks, and capture sensitive information and user credentials for financial institutions and online merchants. The use of the infected computer becomes a commodity for sale, and information stolen from the visitor(s) can be used for identity theft and financial crimes.
User education, as with most security issues, can help reduce the risk from these attacks. If an employee wants to see a video or a news clip, he or she can be advised to stick to mainstream news or media sites such as CNN, MSNBC, Yahoo, Wall Street Journal or YouTube. Using domain names to identify a suspicious website (urgent-news-alerts-funny-cats.info) from a common one (cnn.com) can be tricky, so your primary defense is ensuring your systems are as secure as possible. This comes down to the same best practices that I've discussed in previous articles: Ensure users have a fully updated Web browser, have a current antivirus suite installed, and do not have administrative rights.
While on the topic of malicious websites, it is worth mentioning that attackers will often compromise non-malicious websites so they can install malware aimed at site visitors. A non-malicious website then becomes the unknown vector for the malware. That happened to the website operated by the Miami Dolphins just before the 2007 Super Bowl. Alternatively, the attacker may compromise a partner of a website, such as an organization providing advertising or other content feeds.
To defend against these types of online threats, you can also use third-party browser add-ons such as phishing filters or McAfee Inc.'s Site Advisor (not a product recommendation). SiteAdvisor's servers, for example, check websites for indications of malicious activity, and the browser plug-in notifies the user if he or she visits a known malicious website.
For more information:
In this Internet Storm Center diary, Bojan Zdrnja details how SEO attacks are currently used by attackers.
Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.
Send Tom your security questions.
Join us on LinkedIn.