Imperva Hacker Intelligence Initiative Report Reveals Illegal Attacks on Websites to Run Search Engine Optimization Campaigns
June 2016 by Imperva
Imperva, Inc., released its new Hacker Intelligence Initiative (HII) Report entitled: “Black Hat SEO: A Detailed Analysis of Illegal SEO Tactics.”The report details how researchers at the Imperva Defense Center (IDC) discovered a long-running and still active illegal attack that has been exploiting vulnerabilities in thousands of legitimate websites to increase the SEO results for illicit websites.
One of the largest influencers of SEO page rank is how many other sites contain links back to thepage, and how highly the referring sites themselves are ranked. There is significant monetary and brand value in having as many respectable and popular sites link to the promoted page as possible. In the campaign studied in the HII Report, the attackers compromise websites or take over computers in order to create unauthorized links that point back to their clients’ websites. IDC researchers found the attackers compromise the content management systems of vulnerable websites to create fake blogs with links pointing back to online pharmacies in order to increase the SEO rankings of the online pharmacies. The illegal SEO attack campaign identified by Imperva is persistent, lasts over many months and promotes dozens of websites – presumably those of the paying customers of the attacker – most of which are online pharmaceutical retailers or illicit websites.
The attackers use botnets to amplify the number of websites they compromise. Botnets are networks of remote-controlled computers and devices, or “bots,” that are infected with malware. Attackers can create their own botnets or even hire or rent botnets as a service. Cybercriminals remotely control the botnets for their own purposes, unbeknownst to the devices’ owners. The botnets launch SQL injection (SQLi), HTML link injection and comment spam attacks that exploit vulnerabilities in reputable websites and content management systems. The attackers use these vulnerabilities to create links from the compromised sites back to the promoted, illicit pages. This boosts the search engine rankings of the illicit pages. Over 700 hosts (IP addresses) were used by the botnet during the period studied in the HII Report to launch these SQLi and HTML link injection attacks.
“Automatic attack tools, known as malicious bots, are deployed every second to achieve widespread attacks on websites, and more sophisticated attackers use a distributed network of bots to launch attacks,” said Amichai Shulman, Co-founder and CTO of Imperva. “While it is common to see many variations on the same attack vector comprise these campaigns - such as comment spam used to improve rankings of promoted sites - it is unusual to identify a multi-faceted, long-term campaign run with coordination from the same botnet in the wild.”
“This kind of attack has the potential to impact a legitimate website’s customer experience and brand value, and it could even break the functionality on some website applications,” Shulman explained. “These SQLi attacks are typically referred to as “gateway” attacks and can test the water for more serious attacks to come. Websites can be thought of as the highway to business-critical data, so owners of those that have been targeted should be particularly worried as often SQLi attacks are used to steal data. This definitely serves as a reminder of how relentless cybercriminals are, and the need to bolster website security.“
The full report can be downloaded here.