The threat of search engine optimization poisoning

“Hooligans” (i.e., international soccer fans) now have more to worry about then getting into a brawl with another team’s fan at a game of “footie.” In the midst of the worldwide enthusiasm over the International Federation of Football Association (FIFA) 2010 World Cup games currently underway in South Africa, hackers have attempted to hijack traffic visiting popular Web sites featuring information about the global sports event.

Search Engine Optimization (SEO) attacks rank malicious Web sites based on a list of the top returned results following a gaming related keyword search (i.e.: “FIFA”) on popular search engines, such as Google or Internet Explorer. SEO attacks are a two-step process: first, attackers artificially gather a number of hot keywords, like “FIFA,” “World Cup,” “soccer,” or “South Africa,” on their links to artificially inflate rankings on search engines. As the World Cup is an event that draws an international audience, these keywords and phrases are typed frequently, and en masse, in search engines linked to computers, with Internet access, across the world.

Then, the soccer-head searching online chooses from among the results. But, if the user clicks on a link that is actually an SEO poisoned link, of which the user would be totally unaware, part two of the attack is launched. A malware code embedded in the clicked-on link sends the soccer fan to a fake Web site, hosted just about anywhere in the world. From that moment on, attackers have full access to the user’s computer. The user is likely to be unaware that he or she has been attacked and that his or her computer is at risk. Attackers can then steal data from the hardware, record passwords typed by the user or embark on other insidious activities.

Derek Manky, project manager for cyber-security and threat research at Fortinet, of Sunnyvale, CA, an Information Technology (IT) security provider, explained to GSN: Government Security News that, “keywords and links are the recipe for SEOs. Attackers use hot keywords such as FIFA or the World Cup at the moment, and once the user clicks on the link, a malicious code charges malware transparently. From the moment the user clicks on the link, the attackers can do whatever they wish.

“Even without clicking on anything, the user gets attacked,” Manky added.

The lesson one should learn from SEOs is that they can hit anywhere and at anytime. “Even if you pay attention, you can get caught.” Manky tells GSN. “SEOs can come on legitimate Web sites. The Web site of the Dolphin stadium, for instance, where the Super Bowl took place in 2007 was hit by a SEO attack.”

Government Web sites, because they contain often-used keywords and handle a high volume of traffic, could also be at risk. Manky recommends using both an intrusion prevention system, which inspects security holes in the network, and anti-virus software, which inspects files and viruses on the Web site to prevent SEO poisoning. SEO attacks are particularly dangerous because they are solicited links, unlike spam, and there is a greater chance that the user will click on a poisoned link. Because attacks are not aimed at anyone in particular, they can reach anyone, including government officials.

Manky provided some educational tips. “In a SEO case, when the link comes up, it will be a very long link with keywords that will not reflect the words the user is looking for, or that won’t even make sense.”