Thousands of websites exploited for illegal SEO tactics

Imperva researchers discovered a long-running and still active illegal attack that has been exploiting vulnerabilities in thousands of legitimate websites to increase SEO results for illicit websites.

One of the largest influencers of SEO page rank is how many other sites contain links back to the page, and how highly the referring sites themselves are ranked. There is significant monetary and brand value in having as many respectable and popular sites link to the promoted page as possible.

In the campaign observed by Imperva, the attackers compromise websites or take over computers in order to create unauthorized links that point back to their clients’ websites. IDC researchers found the attackers compromise the content management systems of vulnerable websites to create fake blogs with links pointing back to online pharmacies in order to increase the SEO rankings of the online pharmacies.

This SEO attack campaign is persistent, lasts over many months and promotes dozens of websites – presumably those of the paying customers of the attacker – most of which are online pharmaceutical retailers or adult websites.

Using botnets for amplification

The attackers use botnets to amplify the number of websites they compromise. Botnets are networks of remote-controlled computers and devices, or “bots,” that are infected with malware. Attackers can create their own botnets or even hire or rent botnets as a service.

Cybercriminals remotely control the botnets for their own purposes, unbeknownst to the devices’ owners. The botnets launch SQL injection (SQLi), HTML link injection and comment spam attacks that exploit vulnerabilities in reputable websites and content management systems. The attackers use these vulnerabilities to create links from the compromised sites back to the promoted, illicit pages. This boosts the search engine rankings of the illicit pages. Over 700 hosts (IP addresses) were used by the botnet during the period studied in the HII Report to launch these SQLi and HTML link injection attacks.

Botnet geographic distribution

“Automatic attack tools, known as malicious bots, are deployed every second to achieve widespread attacks on websites, and more sophisticated attackers use a distributed network of bots to launch attacks,” said Amichai Shulman, Co-founder and CTO of Imperva. “While it is common to see many variations on the same attack vector comprise these campaigns – such as comment spam used to improve rankings of promoted sites – it is unusual to identify a multi-faceted, long-term campaign run with coordination from the same botnet in the wild.”

“This kind of attack has the potential to impact a legitimate website’s customer experience and brand value, and it could even break the functionality on some website applications,” Shulman explained. “These SQLi attacks are typically referred to as “gateway” attacks and can test the water for more serious attacks to come. Websites can be thought of as the highway to business-critical data, so owners of those that have been targeted should be particularly worried as often SQLi attacks are used to steal data. This definitely serves as a reminder of how relentless cybercriminals are, and the need to bolster website security.“