SEO Poisoning

Search Engine Optimization (SEO) attacks are another way in which cybercriminals use the web to infect users with malware. They are different from the classic drive-by attack. With SEO attacks—known as “SEO poisoning”—search engine results are poisoned in order to drive user traffic to the rogue site. Google has reported that up to 1.3% of their search results are infected. So, with SEO Poisoning, you’re directed to a bad page through a poisoned search.

Malicious JavaScript the poison of choice

When directed to a compromised webpage some bad things start to happen. First, hackers inject code into legitimate web pages. The injected code could be an iframe HTML element, or an inline script. The trend is a move towards the latter. When the victim browses the compromised web page, the injected code will cause their browser to silently load malicious content from another remote site. This is invisible to the victim.

Typically, the content loaded will consist of multiple components designed to exploit client-side vulnerabilities. For example, a mixture of HTML, JavaScript, Flash, PDF and Java content. This bundle is typically produced by and managed with a kit, known as an exploit pack. These exploit packs are written and sold to criminals looking to infect users with malware.

The important thing to note is that there is no social engineering required. The user does not have to click on a link in an email, or browse potentially risky web pages. They just need to visit a legitimate website that’s been compromised.

Users visiting a hijacked site have no way of knowing the site has been compromised because the malicious code is invisible, and is executed as soon as the page loads in the user’s browser. The code typically uses further scripts to fetch more malicious components, which will then attempt to leverage known exploits in the browser or operating system to infect it, steal data, or subvert it into a botnet.

The scope of these attacks cannot be underestimated, since all types of sites—from government websites to educational institutions to popular news portals, blogs and social networking sites—have been targeted.

As security vendors add detection for malicious web code, the attackers constantly evolve it in order to evade being caught. Hackers have turned to using JavaScript as the “glue” for these web attacks because it provides the ability to hide or obfuscate the code, concealing the payload.

If your website is compromised, then you’re perceived as being responsible for infecting anyone who visits it. This can damage to your corporate reputation, result in negative publicity and a lack of confidence from customers, partners and investors. In the next blog we’ll delve into solutions to help keep you safe.