Black Hat SEO attacks: Persistent Multi-Vector Attacks Prey on Thousands of Legitimate Websites

IMPV_Infographic_SEO_Botnet

Imperva Defense Center researchers found long-running, multi-vector Search Engine Optimization (SEO) campaigns in use by hackers to illegally promote illicit websites such as online pharmacies and adult sites. The multi-vector Black Hat SEO campaign employed SQL injection (SQLi), HTML link injection, cross-site scripting (XSS) andcomment spam. The long-running botnet-driven SEO campaign started before November 2015 and was still active as of April 2016. The attack techniques themselves are not new. However, this is the first time we have seen a combined use of a botnet, attacks automation and several types of attack vectors to launch a targeted SEO campaign. The reputation of the promoted sites is definitely questionable.

Who gets impacted the most? And what are the consequences?

The SEO campaign illegally modifies content on reputable websites. The legitimate website’s brand image is severely tarnished and can result in negative user experience and lost revenue. An area of successful burglary is often revisited by the offenders, victimized websites in a similar fashion may become targets for more serious attacks such as data breaches.

How hackers increase SEO for their clients?

In this attack, the hacker exploits SQLi vulnerabilities in web applications to inject new content promoting questionable websites into as many high ranking websites as possible, modifying the legitimate content of each site. HTML links to the promoted site and associated keywords are inserted into the attacked applications’ databases, changing the content of their dynamically generated pages. The promoted sites gain high rankings on the target keywords in popular web search engines, causing them to appear among the top search results.

The attack is performed by a botnet: a large network of centrally controlled hosts. In this campaign, the botnet is comprised of more than 700 hosts. An automated SQLi and HTML link injection attack are executed on this distributed platform, with over 800,000 malicious HTTP requests recorded. The botnet amplifies the attacks, helps hackers run multiple campaigns in parallel for promoting many sites, and also enables the attack to bypass some common detection measures.

How to mitigate such attacks?

Web Application Firewalls (WAF) are the best defense mechanisms against such attacks. The attacks are exploiting known vulnerabilities that are well defined by OWASP. For a more comprehensive web application protection, deploy a WAF with integrated IP reputation that can block botnets to thwart advanced web attacks.

Find out more details about this Black Hat SEO campaign by reading the Hacker Intelligence Initiative (HII) report titled Black Hat SEO: A Detailed Analysis of Illegal SEO Tactics.