SEO Poisoning: When Safe Searches Turn Nasty
Recently Tim Wilson wrote in Dark Reading that news has become more dangerous to search for than porn (22.4% of top search results are infected/compromised vs. 21.8% for porn), illustrating that the bad guys never rest and threats that have been around for a while continue to evolve. When the bad guys corrupt or poison search engines such that legitimate searches send the user to bad places, often with the intent of infecting or compromising the users system or exposing the user to objectionable content, we call this SEO (Search Engine Optimization) Poisoning.
People have been manipulating search engines for personal advantage for about as long as there have been search engines. Early efforts were fairly transparent, with examples such as misleading meta tags and hidden background colored text. Search engines were able to engineer around many of these early efforts and advances like using inbound link information in addition to the content of the page (Page Rank) helped keep things (somewhat more) honest.
While early search engine “optimization” efforts were largely intended to capture legitimate traffic, in recent years things have turned darker, with SEO spam turning malicious, often trying to infect the user with fake video players or fake antivirus or ransomware.
If Google News can aggregate news feeds to machine-populate a topical news page, then blackhat SEO specialists can also use similar techniques. New trending topics are used to generate pages and spawn the linkfarms used to get them ranked in search engines, all automatically. Examples of news-based SEO attack themes include Farrah Fawcett, the movie Avatar, Apple’s iPad, the Space Shuttle, Olympic tragedy and so on.
What can a user do? Here are a few things:
- Turn on the security features during the Secure Browser Setup
- Use Antivirus Software and keep it updated
- Keep your PC updated
- If the URL doesn’t match the subject, don’t click on it
- Don’t click on strange popups, especially those for unknown video players or antivirus
- At work, get IronPort Web Security or ScanSafe
- Check URL reputations for free with the SIO To Go iPhone App or the URL Reputation Lookup on the Cisco SIO Page.