Bot Herders Use SEO for Massive Search Spam

Less-than-scrupulous SEOs have engaged in black hat practices for years, but to date we’ve seen nothing to match the massive scale of what hit Google and the other search engines in the last week of November. Security experts insist that this is just the beginning. Keep reading for the details of what happened.

It’s been referred to as "Google poisoning" or "SEO poisoning," and it’s no wonder. A potential victim, who might not have all of the patches their system really needs, performs an innocent search on Google – on the phrase "Christmas gifts" in hope of ideas, perhaps, or even "hospice" to get information for a critically ill friend or loved one. Clicking on a link leads to a site which prompts them to install the latest ActiveX control, or possibly to get a free scan for spyware. And that’s where the trouble begins.

If the user clicks on the link for the download, the web site begins loading up their vulnerable machine with malware: Trojans, viruses, rootkits, intrusive adware, you name it. At least one of these sites hosted as many as 25 separate pieces of malware ready to be downloaded. And that was just one site; there were many malicious sites participating.

This kind of thing has happened many times before. What made it particularly disconcerting this time, however, was that the malware sites had managed to reach the first page of the search engine results pages (SERPs) for multiple keywords, most of them totally innocent. Online security firm Sunbelt Software, which has been tracking the problem, supplied a PDF in one of their blog posts with a list. The number of terms per page is staggering – and the list is 12 pages long.

Even I was attacked by this lovely nastiness recently. I could tell it what it was because I’d just finished writing this article, and recognized the names of the things that were trying to load themselves onto my system. Fortunately, my up-to-date anti-virus software blocked the malware. I triggered the attempted intrusion by searching for cucumber salad recipes in Google and clicking on a few of the top links!

Google managed to beat back the attack; Sunbelt reported the issue on a Monday, and most of the malicious sites were removed from Google’s index by late Wednesday (November 28). But Google will almost certainly find itself fighting off another massive attack on its SERPs, and sooner rather than later. To understand why, we need to take a closer look at how this happened.

{mospagebreak title=Anatomy of an Automated Ambush}

One of the first things that any SEO learns about optimizing a web site is the tremendous value that Google places on incoming links. Every link to a site from outside is treated like a "vote" for that site, saying that its content is relevant to the content of the linking site. That’s an oversimplification, of course; Google looks at more than 50 factors in the algorithm it uses to decide a web site’s position in the SERPs. But incoming links still wield quite a bit of influence, and that’s the "Achilles heel" at which this attack was aimed.

Sunbelt said that its research team had been monitoring a particular bot network for several months. These compromised computers single-mindedly pursued the task of posting spam links and relevant keywords to online forums and in comments to blogs. The massive amount of posts gave the malicious web sites a huge number of incoming links with the targeted keywords as anchor text. As a result, the malware-containing web sites achieved positions that were close to the top of the SERPs for their chosen search terms.

The hackers and bot herders weren’t doing it just to be mean, however. Like those of us who do white hat SEO for our businesses, they’re in it for the money. Sunbelt reported that the malware-serving pages contained an iFrame link that tried to infect systems with a nasty piece of code the security company refers to as "Scam.Iwin." Once infected, a vulnerable computer with Scam.Iwin generates false clicks for a pay-per-click affiliate program without the computer owner’s knowledge or consent. You have to love it – malware, botnets, and click fraud, all rolled together. All we need to make it really complete is the Mafia.

While there is no word on the size of the botnet that planted the seeds for this attack, we do know that more than 40,000 sites hosted the malware in question. We also know that Scam.Iwin is used to load malware for other groups, such as the Russian Business Network (RBN), described by Computer World as "a notorious malware and hacker hosting organization." Additionally, according to Sunbelt, most of the domains were Chinese registered, hosted in the United States, and only a day or two old.

Google would not specifically confirm or deny that it cleaned its results, but Sunbelt noticed by late Wednesday (November 29) that most of the nasty sites seemed to have disappeared from the search engine’s results. Nobody thinks this will be the last attack, however. In fact, Sunbelt reported that it is already seeing signs of another attack being prepared.

{mospagebreak title=A Second Wave?}

The first attack had some interesting elements to it. According to Sunbelt, it was clearly targeted at Google. And an examination of the JavaScript behind one of those malware sites revealed that it had some interesting aspects. I won’t go into detail about the code, but I will quote Sunbelt directly about what it found: "So, if you use search terms like ‘inurl’ and ‘site,’ you won’t see these malware pages in your results. Clever, since that’s one way for malware researchers to find stuff…" In short, the hackers behind these sites are making an effort to hide from their pursuers.

By Thursday, as I mentioned, Sunbelt saw some signs that "another attack may be on the way." The company saw a suspicious spate of new .cn domains similar to those already registered and used in the first attack. Actually, it could be worse this time, since Sunbelt thinks that there may be two different groups at work.

The first one looks like the same group that was involved in the original attack. When you exit a web page belonging to that particular malware-serving network, "you get pushed to install Spy-shredder, a rogue antispyware program," according to Sunbelt. What you get is a pop-up that downloads Spy-shredder onto your computer even if you click "cancel." The second group "simply shows users a site which is trying to generate traffic (for the purposes of getting affiliate commissions)," Sunbelt explained. While the security company said that it wasn’t seeing site serve exploits from this bunch, it noted that this could change at any time. As a personal note, it was the Spy-shredder exploit that tried to catch me.

Google knows about these problems, and that things are getting worse. It ran a post on its security blog recently titled "Help us fill in the gaps!" in which it appealed to its users for assistance. "Currently, we know of hundreds of thousands of websites that attempt to infect people’s computers with malware. Unfortunately, we also know that there are more malware sites out there. This is where we need your help in filling in the gaps. If you come across a site that is hosting malware, we now have an easy way for you to let us know about it." The post links to a form for users to fill out when they find a site that is distributing malware.

{mospagebreak title=Other Paths and Repercussions}

This latest spate of SEO-type attacks isn’t the only way a hacker with a lot of computer power could take advantage of Google by manipulating its results. Early this year, GNU Citizen reported on a rather unusual form of Google poisoning. The poster’s site was down for a week in December 2006, and checked Google during that time because he was afraid that the search engine would index the WordPress default error page (which is what his site was showing because he had no database connectivity at that time). Well, his blog was still holding the number one position – but the other web sites listed "were showing parts of the notorious WordPress default error page that is presented when there is no database connectivity."

From this, GNU Citizen composed, but did not test, the following possible scenario: an SEO expert sets up a network of splogs (spam blogs), each with lots of pay-per-click ads. When the Google bot arrives to crawl a splog, "a mod_rewrite directive matches the user agent and sends the notorious WordPress error page (other types of error pages are possible too)." The spider will then associate the splog with pages that contain that particular failure. "This means that, if your website happens to display the WordPress No Database Connectivity page" when it is crawled, "users who try to reach you through Google will get a poisoned result set."

This works because Google only cares about content, and automated computer searches still have problems with meaning. What I’ve just described, in short, is another way for keywords to be hijacked. It uses a technique that is different from the botnet, but the result is similar: a page gets a spot in the SERPs that it doesn’t deserve.

These tricks and others are becoming more common; even Al Gore isn’t immune to them, as he discovered recently when his blog was actually hacked to show search engine spiders tons of links to pharmaceutical sites. Sadly, they’re giving SEO a bad name. One observer blogging about the latest exploits noted that "There’s lots of talk within the tech community, especially the blogosphere about using SEO and how it’s GOOD for bloggers and doesn’t negatively affect readers/searchers/regular users. This is a lie. Instead of Search Engine Optimization, SEO should really stand for Search Engine Opportunism, because that’s what it really is."

As a searcher, you can defend against the attacks by making sure your computer has all of the latest and most up-to-date patches. As an SEO, you can defend against the attitude of others by making sure your main focus is on the content of the site, rather than trying to game the system inappropriately. 

[gp-comments width="770" linklove="off" ]