It’s not a secret that cybercriminals use all sorts of techniques to promote their fake products and services on the Web. To increase the rating of the newly-created fake medical or rogue AV Web site, criminals sharpen their skills in Black Hat SEO (search engine optimization). While White Hat SEO is basically being used by all businesses as well as other non-profit sites, Black Hat SEO poisoning is mostly used for sites that do not want to build their traffic and popularity in a natural way. In some ways Black Hat SEO is a kind of celebrity life – popularity can be on the rise in a couple of weeks or even days and then abandoned just as quickly.
In both cases, this short popularity span can bring enough attention or revenue so that it's not in vain. Search engines like Google, Yahoo, or Yandex invent new solutions every day to filter sites using Black Hat techniques and not allow them to achieve their aim – which is to be seen on the first pages of search engine results when people are looking for genuine information.
If such sites manage to reach top search result positions, the traffic generated by people visiting the Web site will rapidly increase. It is worthwhile for Black Hat SEO teams, even with the risks of being shut down, because of the immediate visibility that their site gets - their 15 minutes of fame. This is another similarity to a celebrity's life: to be banned only once means they will never be highly rated again. The popularity can be built fast, and destroyed even faster.
There are many common techniques used in Black Hat SEO which lead to more or less the same target. It all depends on the time available, the ability to take a risk, and of course, money.
Backlinks – the most common and popular technique. It is not important how many links you point at, but how many links point to you. It's even better if the links are bidirectional, which is of course more difficult to achieve. Therefore "link farms" became a popular service not long ago, offering many servers pointing to one specific site or pointing to each other to build inter-linking. This approach has quickly been discovered and cracked down on pretty well by companies like Google, Yahoo, and others. So Black Hat guys started to infect pages through mass injections or other malicious means to get such links working in invisible form (hidden links) or in a pretty visible way, automatically populating forums, blogs, and directories. Of course, not every link has the same weight. There is a difference if a description of a link says "Go here" and points to "Quality meds", compared to a precise description. Also, links coming from high-ranked sites are weighted much more.
Using a high-ranked domain (for example, YouTube) to propagate such products and services. Especially, accounts that have existed for a long time are much more likely to get better visibility.
Image Crafting – every search engine advances some kind of a picture property. There are different approaches depending on the size, location, "href" description, and "alt" description of a picture. Using the right properties makes some pictures more easily visible than others.
Cloaking – content presented to search engine crawlers is different than content presented to a user’s browser. This kind of "hiding" offers special protection against being noticed and banned.
"Bait and Switch" – this technique is used to get high ranking usually using white methods, and subsequently switching the content from legitimate to something completely different. Even though nowadays this method is almost useless as search engines are parsing Web sites on a daily basis and notice switching immediately, sometimes a couple of hours is more than enough for criminals to achieve their aims.
Microblogging is becoming more popular every day. Pages offering microblogs are getting high ranking very quickly and this ranking is automatically passed to all blog posts. One of many techniques abusing such sites is registering an account into many highly popular groups and slowly posting messages with “appropriate” words, or even better URL links to all of them. These messages get attention at once when posted, due to the fast and privileged indexing of such sites by search engines. Hence all of these crafted microblogs influence query results in a couple of hours.
301/302 redirect (also known as Get Your Traffic Now). Recently we posted an alert about Bloombox SEO poisoning – we have started to see more and more abuse of this technique. Let's have a look.
Screenshot 1 – Bloombox Black Hat SEO
Usually the abuse is achieved through a PHP file installed on a compromised host. The file keeps a parameter of the search term, in this case "bloombox". The search term is usually a word or a phrase used by customers to find information about a particular event. When they follow the link, the user is being redirected to a Web site with rogue AV.
Screenshot 2 – Rogue AV trap presented as a “Bloombox” destination
When trying to access the same link not from a Google search page but by directly pasting the URL into a browser, the user is redirected to http://www.cnn.com.
Screenshot 3 – Imitation of direct input of URL into a browser
The same thing happens when using a Google Bot referrer, pretending to be a Google crawler.
Screenshot 4 – Imitation of Google Bot parsing the page
The next step shows the case when the user gets access to the page from a Google search page.
Screenshot 5 – Imitation of accessing the page from Google search.
This site can be accessed only from a Google search page and only by a user. The whole trick is being done by a PHP file uploaded to a compromised host carrying the 302 (Temporary redirect) or 301 (Permanent redirect) with the cloaking mechanism. The redirection to an appropriate location depends on who or what follows the link.
Such PHP sites will work for any Black Hat SEO hot topics, as any parameter (search term) being passed to the PHP site will work in exactly the same way.
As major events reach the news and articles are being posted, that's where the search terms are being taken from. Also, all the pages redirecting to these high-ranked sites (especially using a 301 or 302 redirect) automatically start to get higher ranking.
Most of the times Black Hat guys compromise hosts with a good "Google reputation", so once the PHP file is uploaded and "glued" to a news site, it's only a short time before they will be seen in the top search results.
Of course, Google and other search sites know about these techniques and do their best to block Black Hat activities. However, as always this is the thin end of the wedge. Cybercriminals compromise as many legitimate sites as possible and just wait for a major event to use. They have no fear of being banned or delisted – they never use their own domains. In a few hours, compromised sites get a high page rank and will stay at the top for several hours, which is enough time for them to get good traffic into their rogue AV or other “chunky” goods sites.
Unfortunately, this is a mere short list of many popular and highly used activities used by bad guys. When companies like Google or Yahoo patch one hole, the Black Hats find a new one in literally a matter of minutes. As we wrote at the beginning, Black Hat SEO is like a celebrity life - an easy and fast rise to fame, and very short lived. Do not be optimistic though. There are always thousands of others having “great ideas” and waiting to take a place in the front row of this show.
Security Researchers: Artem Gololobov, Ivan Sabo