Don DeBolt and Kiran Bandla 29 September 2010



Similar documents
The Dark Side of Trusting Web Searches From Blackhat SEO to System Infection

EVILSEED: A Guided Approach to Finding Malicious Web Pages

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

CS 558 Internet Systems and Technologies

Advancements in Botnet Attacks and Malware Distribution

Table of contents. HTML5 Data Bindings SEO DMXzone

TRAFFIC DIRECTION SYSTEMS AS MALWARE DISTRIBUTION TOOLS


Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware.

Website Marketing Audit. Example, inc. Website Marketing Audit. For. Example, INC. Provided by

Search Engine Optimization

RIA SECURITY TECHNOLOGY

Website Audit Reports

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

80+ Things Every Marketer Needs to Know About Their Website

UNMASKCONTENT: THE CASE STUDY

The Top Web Application Attacks: Are you vulnerable?

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Removing Web Spam Links from Search Engine Results

MetaXSSploit. Bringing XSS in Pentesting A journey in building a security tool. Claudio

Shellshock. Oz Elisyan & Maxim Zavodchik

Botnets Die Hard Owned and Operated

SEO Definition. SEM Definition

Spam and All Things Salty: Spambot v2013

Simple SEO Success. Google Analytics & Google Webmaster Tools

Understanding Web Application Security Issues

Chapter 6. Attracting Buyers with Search, Semantic, and Recommendation Technology

An Advanced SEO Website Audit Checklist

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

30 Website Audit Report. 6 Website Audit Report. 18 Website Audit Report. 12 Website Audit Report. Package Name 3

SEO Best Practices Checklist

Search Engine Optimization Techniques. For Small Businesses

Pwning Intranets with HTML5

Web School: Search Engine Optimization

One Minute in Cyber Security

Additional information >>> HERE <<< Best Way to Get Website Traffic Real User Experience

Attack Intelligence Research Center Monthly Threat Report MalWeb Evolution and Predictions

Revisiting SQL Injection Will we ever get it right? Michael Sutton, Security Evangelist

SEO: How to Use Everyday Techniques to Increase Website Traffic. Robin The University of Texas at Tyler

WEB ATTACKS AND COUNTERMEASURES

Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs AN IN-DEPTH ANALYSIS

Operation Liberpy : Keyloggers and information theft in Latin America

A COMPREHENSIVE REVIEW ON SEARCH ENGINE OPTIMIZATION

From Georgia, with Love Win32/Georbot. Is someone trying to spy on Georgians?

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering


The Third Rail: New Stakeholders Tackle Security Threats and Solutions

ZNetLive Malware Monitoring

A framework for Itinerary Personalization in Cultural Tourism of Smart Cities

SPAM, VIRUSES AND PHISHING, OH MY! Michael Starks, CISSP, CISA ISSA Fellow 10/08/2015

Bad Ads Spotlight: Ad Cloaking Abuses. May TrustInAds.org. Keeping people safe from bad online ads

Networks and Security Lab. Network Forensics

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Attacks from the Inside

Introduction: 1. Daily 360 Website Scanning for Malware

Security A to Z the most important terms

How Attackers are Targeting Your Mobile Devices. Wade Williamson

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Targeted attacks: Tools and techniques

INTRUSION DECEPTION CZYLI BAW SIĘ W CIUCIUBABKĘ Z NAMI

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Where every interaction matters.

Web Vulnerability Scanner by Using HTTP Method

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company

Five Tips to Reduce Risk From Modern Web Threats

CS4047 Multimedia Industry Perspectives Search Engine Optimisation (SEO) Introduction to SEO. Martina Skelly Activate Marketing.

Initial research provides the bedrock for all good decision making and drives your digital marketing across all disciplines.

Learn How to Defend Your Online Marketplace from Unwanted Traffic

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation

Using big data analytics to identify malicious content: a case study on spam s

Pay-Per-Install The New Malware Distribution Network

Increasing Traffic to Your Website Through Search Engine Optimization (SEO) Techniques

Malicious Network Traffic Analysis

Worst Practices in. Search Engine Optimization. contributed articles

An analysis of exploitation behaviors on the web and the role of web hosting providers in detecting them

What Next Gen Firewalls Miss: 6 Requirements to Protect Web Applications

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

A Network Administrator s Guide to Web App Security

SEO is one of three types of three main web marketing tools: PPC, SEO and Affiliate/Socail.

User Documentation Web Traffic Security. University of Stavanger

CS5008: Internet Computing

Web Application Attacks And WAF Evasion

Transcription:

BlackHat SEO: Abusing Google Trends to Serve Malware Don DeBolt and Kiran Bandla 29 September 2010

Agenda BlackHat SEO Logic and Components Background Research Methodology Findings Conclusion

Logic flow of a BlackHat SEO Attack Infiltrate host/site Inject malicious code Query Google for key words Query Google for key word content Get G indexed dby Google Redirect visitor Tally user via multiple hops/redirectors Serve malware at landing site 2

Components of the Attack Victim Legitimate Website compromised Scripting Language C&C Website managing queries Search Engine Bad Actor NEED Images here 3

Demo Video 4

Background 5

Search Engine Optimization Creating Relevance Organically Structured content Unique Keywords Interesting Content Trust Backlinks (Inbound Links) Source: SEO Warrior 6

Google Market Share US UK Source: Hitwise.com

Google Trends

BlackHat SEO Techniques Keyword Stuffing Doorway Pages Duplicate Web Pages Link Farms Reciprocal Links Hidden Content Cloaking Source: http://www.seosearchengineoptimizationseattle.com/index.html 9

Types of BlackHat SEO Event-Driven Di Mass Keyword Need bullets here Need bullets here 10

Research Methodology 11

Research Methodology Google API One of the tools we needed was a Google search API for collecting the hourly trend keywords in an automated way. For this, we used the pygoogle[8] API. pygoogle is a python wrapper for Google search. It uses the Google AJAX API, because of which, h it is limited it to only 64 results. We also used pytrends[9] to get Google s Hot trends. pytrends is a python wrapper for fetcing Google trends. Python Python was the language of choice most of the automation. As a lot of our internal codebase already uses python, it was easy to integrate and build on top on that. We used python modules for Google search and Google Trends, to collect hourly stats. HoneyClient One of the most useful tools for analysis was the pure python Honeyclient that we developed. It emulates Internet Explorer 7, understands Javascript and many ActiveX exploits. We feed URLs to the honeyclient to quickly analyze the attack from source to the final landing site. This has been a very useful and handy tool. It supports a huge list of User-Agents, including search bots. Owned domain Data Using these tools, we started collecting poisoned domains, keywords and other details in an automated way, which are discussed in the following sections. The data is available for public consumption at seo-research.appspot.com appspot com and www.maltrax.com:8080. Analysis techniques To analyze the SEO poisoning, we took two different approaches. The First one is enumerating poisoned domains and URLs based on trending Google keywords. The Second is to infiltrate the Blackhat SEO cycle to collect information directly. The two approaches are discussed below. Trend Keyword acquisition The earliest searching engine poisoning that we observed was almost completely based on Google Trends. The attackers would enumerate trending Google search keywords and use them to build new pages that would eventually be indexed d by Google. Fetching new keywords is done once every 10 minutes. Using the same approach, we started enumerating trending Google search keywords every hour, using pytrends. We would then use pygoogle to search Google for these keywords, collecting the top 64 results. We also searched for the previous day s trending keywords and saved those results as well. This data was very useful in determining the time to poison (TTP). Blackhat SEO reconnaissance Over time, we started to notice that the attackers gradually started to use more keywords for poisoning URLs than those available from Google trends. To collect all such keywords, we took a different approach. We acted as a search engine. 12

Anatomy of an Attack 13

Injected PHP Logic Flow

Who are you and where did you come from? User Agent Check 1 User Agent Check 2 Source IP Check 15

Google Screen Scrape 16

Dynamic Content Generation 17

Generated Content

Google Trends BlackHat SEO URLs http://goodnewsbiblekids.com/nthei.php?ad php?ad=earthquake baja california 2010 nthei.php?ad earthquake baja california 2010 19

Choosing a landing site 20

Landing Site Payload 21

Obfuscation Techniques Base64 Encoding for compromised content AES Encryption for FakeAV scan pages 22

From the Users Vantage Point Keyword Search SERPs Returned SERP Selected Redirect Browser Minimizes i i Pop-up Warning Fake Scan Page Download 23

Findings 24

TTP Haiti Earthquake Google Trend volume peaks on January 15, 2010. First poisoned URL identified via Google Search was January 14, 2010 Event transpired on January 12, 2010. TTP = 48hrs 25

TTP Masters Golf Tournament Google Trend volume peaks on April 8, 2010. First poisoned URL identified via Google Search was April 7th at 23:00hrs ET. Event transpired on April 7, 2010. (Par 3 tournament initiated event) TTP = 11hrs 26

TTP Kendra Exposed Google Trend volume peaks on May 28, 2010. First poisoned URL identified via Google Search was May 26th at 15:00hrs ET. Event(news broke) transpired on May 3, 2010. Story resurfaced on May 26, 2010. TTP = 23 days (from original event) TTP = 15 hrs (from secondary event) 27

TTP Yeardley Love Google Trend volume peaks on May 4, 2010. First poisoned URL identified via Google Search was May 4th at 21:00hrs ET. Event(news broke) transpired on May 3, 2010. TTP = 31 hrs 28

TTP Adam Wheeler Google Trend volume peaks on May 19, 2010. First poisoned URL identified via Google Search was May 18th at 16:00 hrs ET. Event (news broke) transpired on May 17, 2010. TTP = 24 hrs 29

Google Trend SEO Stats Poisoned URLs Total April 157612 May 19904 Poisoned URLs Unique April 22669 May 2131 Poisoned Domains Unique April 2682 May 848 Poisoned Keywords Unique April 3174 May 1168 30

Image Poisoning 31

Attack Vectors 32

Contributing Factors Google Type-ahead ahead now Google Instant Possibly leading the jury Localization of Trends Bad Actors don t have to localize content

Conclusion Use of Google Trends Keywords can produce low TTP and high victim count No bias shown towards the use of Google Trends Keywords Mass-Keyword SEO equally capable and in greater use than Event-Driven SEO Significant drop off identified in the volume of poisoned Google Trend SERPs since April 34

Questions 35

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information