Infected BlackHat SEO pages return
The beginning of year 2011 were good-days for blackhat SEO, when it was actively attacking and infecting users with all kinds of scareware. And May 2011 was the best month for Mal/SEORed, while it topped out threat charts. Anyway, now search engines keep blackhat SEO away from the top search results. However, Sophos researchers found that Mal/SEORed stepped-up again few weeks ago. Let’s see what security researchers at Sophos have found while they were looking for answers about blackhat SEO becoming a problem again.
Firstly, they reviewed a few infected SEO pages, which were recently blocked. It did redirect to a poisoned scareware sites. Popular way among them to poison people’s computers is to trick them to install programs like “Windows Secure Kit 2011”, which shows fake alerts to users about adware that’s not even in the computer. This application uses Security Shield GUI. Once you actually “scan” your computer, the program blocks any use of your applications or web browsing, starts to throw you a lot of fake errors about “infected” programs that you use and have in the computer. Yet we can conclude – it really harms your computer.
And it’s not some leftover shareware from the start of 2011. It actually uses the recent obfuscation methods, which researchers have seen elsewhere. Knowing we can definitely agree that the SEO pages takes part in infecting users with scareware. Nevertheless, there are ways to protect you from these attacks. Luckily, Sophos web pages have a good defense system with blocking infected SEO pages, detecting and blocking scareware. It all depends on a layered protection, which manages to defend the blackhat SEO attacks.
So Sophos researchers wanted to understand how those web sites get infected. After doing a little research they found, that there are some exploits in WordPress CMS, that leads SEO kits to do attacks. Even one of the exploited SEO kits are hosted on site selling WordPress plugin software. The way they work is that they redirect requests to the central PHP script, which sorts out engine crawlers from users, which are just using a search engine. Crawlers are redirected to a keyword-rich content, however, users are redirected to scareware sites.
Despite that, it’s not all. SEO kits are bad for site admins, but if they don’t do just that. Some of the inspected sites had even a remote access shells uploaded too. That is just a straight way for an attacker to remote access and do almost everything an administrator could do on a site, including even a MySQL database access!
As a conclusion we can say, that the increased activity of Mal/SEORed threat actually shows, that attackers have increased success on SEO ranking in search engines. Sophos will continue investigating these attacks more closely, and we’ll see if this activity will make any more threats in the future.
Filed under: Malware | 1 Comment
Tags: malware, security shield