Search Engine Poisoning (SEP) attacks manipulate search engines to display search results that contain references to malware-delivering websites. There are a multitude of methods to perform SEP, including taking control of popular websites, using the search engines' "sponsored" links to reference malicious sites to inject HTML code.
Search Engine Poisoning via Cross-Site Scripting: Search Engine Poisoning can also be performed by manipulating the search engine to return search results contain references to sites infected with Cross Site Scripting (XSS). The infected Web pages redirect unsuspecting users to malicious sites. When unsuspecting victims follow one of these references, their computers become infected with malware. This technique is of particular importance since it does not require the attacker take over, or break into any of the servers involved in the scheme.
Search Engine Poisoning is comprised of the following steps:
- The attacker sets up a server that delivers malware upon request. The malware can be delivered in different ways, such as via an HTML page that exploits a browser vulnerability (aka "drive-by-download"), a "Scareware" scheme, or in any other variety of methods.
- The attacker obtains a list of URLs vulnerable to Cross Site Scripting (XSS). In order to have an impact, these URLs should be taken from domains that rank high in search engines. The attacker usually obtains this list by an activity called "Google Hacking" – looking for specially crafted search terms in search engines that reveal the potential existence of specific vulnerabilities.
- Using this list, the attacker creates a huge number of specially-crafted URLs that are based on the vulnerable ones and include the target keywords and a script that interacts with malware delivery server.
- The attacker obtains a list of applications that support simple user content generation. These could be forums, pages that take user comments or applications that accommodate user reviews. The attacker then floods the content accepting applications with the variety of specially crafted URLs.
- Popular search engine bots that scan the entire Web pick up the specially crafted URLs and follow them in order to index their content. As a consequence, the target keywords become associated with the specially crafted URLs. Since the attacker picked up URLs of high ranking domains to begin with, and due to the large amount of references into these URLS, the poisoned results get high ranking for the target keywords.
- An unsuspecting user searching for one of the target terms clicks on one of these URLS and as a consequence become infected with malware.
SEP is an extremely popular method used by hackers to widely spread their malware. As shown, attackers exploit XSS to take advantage of the role of third-party websites as mediators between search engines and the attacker's malicious site.
Recommendations to the Web Administrator:
Abusing a Web site in this manner may lead to brand damage, loss of customer base and potential visitors. Moreover it has a clear negative impact on the sites accessibility through search engines including decreased ranking, marking references as harmful and even altogether removal from the search index. Ultimately, this leads to devastating economic implications.
Protecting the Web application against XSS attacks will prevent these sites from being abused as the attacker's conduit for a SEP campaign.
Recommendations to Search Engines:
Protection of users from malicious references returned as search results is also a responsibility of search engines. Current solutions that warn the user of malicious sites lack accuracy and precision and many malicious sites continue to be returned un-flagged. However, these solutions may be enhanced by studying the footprints of a SEP via XSS. This will allow more accurate and timely notifications as well as prudent indexing.
- Hacker Intelligence Summary Report: Search Engine Poisoning via Cross-Site Scripting
- Video: Anatomy of an Attack - Search Engine Poisoning via Cross-Site Scripting
- Infographic: The Case of the Search Engine Poisoning
- Article: Mass iFrame Injectable Attacks