27th Oct 2016
In this article I will attempt to explain a little about the methods used by crackers, scammers and spammers (I’ll be calling them villains) to poison search engine results, automate mass exploitation and generally take advantage of everything they can to optimise their scams for search engines.
As there are many methods used I will describe one example of how it all works, so first let’s have a look at how a piece of fake AV (Antivirus) software makes money.
The user knowingly or unknowing installs a piece of software claiming to be an antivirus program. The software looks and acts just like an antivirus, but with one small difference…. It doesn’t protect the user from viruses in any way what so ever, in fact there is no antivirus engine in the software at all. The software will notify the user that their computer is full of viruses and that the antivirus program will remove these for a fee. The user then has to sign up to a subscription or pay a one off amount.
But how was our poor user so unfortunate to have come across such a nasty piece of software? The awesome power of SEO is how. These scams are usually short-lived, because no matter how legitimate they appear to be and how sneaky, they are scams and will get shutdown eventually. When you have such a limited amount of time you can do anything you want to get rankings and traffic, because search engines can’t instantly deal with the effects of the villains’ SEO tactics.
If you cross SEO with a rootkit you get an SEO Kit, A piece of software that sits on websites/servers creating keyword rich pages to attract the attention of the search engines.
The SEO Kits will scan for trending topics and make a page with relevant keywords with anchor text links pointing to the page they are trying to promote, you may have a come across these kind of keyword pages before. When you first glance over the page they make sense but looking closely, not much. They are not to trick humans however, they are to trick search engines. Most of these pages are hidden in a way that user would not naturally come across them.
For the SEO performed by the SEO kits to be effective they would ideally need to be on sites with good authority and trust. This means villains would have to hire lots of servers with already authoritative sites, right? Wrong. The websites/servers have been compromised using yet another layer of the scam.
Mass Automated Exploitation
There are an unbelievable number of ways in which the servers hosting the SEOKits could have been compromised but for the purpose of the blog post I’ll keep it simple….ish. The villains use bots (automated programs) that will look for and compromise vulnerable websites/servers, install the SEO kit and maintain the server. The bots will usually operate and attack from other compromised servers and more often than not, from the peoples home computers that installed the fake AV. The bots and SEO kits can usually be controlled from one place, this is called the C&C (command and control).
Some ways in which the bots will attack sites/servers are:
There are many infamous backdoors villains use to control webspace/servers once compromised, the one I will use as an example is called c99. Using common search engines such as Google, the bot can search using certain queries (D0rks) which will find vulnerable servers. “Inurl:”c99.php” -intitle:c99 -inurl:”c99.php.txt”” Will show results for lots of servers with the c99 backdoor, the bot can simply visit these sites and take control of the webspace/server.
Using a mixture of existing vulnerably scanners and Google, the bots will look for known vulnerabilities in web servers, usually caused by running outdated software. On some occasions the attacks will use 0-day vulnerabilities and then exploit them in order to take over the server Ironically, the bot will sometimes attempt to patch vulnerabilities to stop other bots taking over the server. The bots will use most of these servers to perform further attacks against other servers or synchronize with compromised machines forming a “Botnet” style configuration.
It’s important that the compromised servers try to hide their tracks from search engines. If search engines get wind of the fact they are hosting malicious content or have a backdoor on the site, search engines and web browsers will try and protect their users from being exposed to malicious content. Search engines even warn users on the search engine results page.
Unfortunately, these small warnings are not enough to save you and your websites.
That’s the basic layout of the scam and if executed as planned when users search for “Justin Bieber screensaver” they will see lots of seemingly relevant results. The user will then click onto the site, the site will perform a few redirects and then they will end up at the destination distributing the fake AV. Now there are a few ways in which the fake AV will find its way onto the user computer:
• The web page will automatically present the download.
• A popup which once clicked will download the Fake AV.
• An exploit will be launched against the user browser, causing the fake AV to be silently downloaded and installed.
This sort of scam has been effective for many years now and as you can see, expands rapidly. The tactics of the villains have not changed greatly, this is down to the fact that most users are reluctant to change their habits and be more proactive in securing their websites and computers. Here’s a few tips, looking at the problems that allow these scams to be so successful and what we can do as users and developers to try and prevent them.
Content Management Systems (WordPress, Joomla etc)
WordPress is a great platform for less technical people to make a website and host the site on their own webspace with ease. Unfortunately, this brings a myriad of potential problems when it comes to security.
• Update – Vulnerabilities get patched, these are updates, if you don’t update, your platform of choice is insecure. It’s not just the platform that needs to be updated but all the plugins also, they could create an easy way for your site to be compromised, so be smart with plugins. Do you really need all the plugins you are using? If you do keep them updated.
• If you search for “joomla” in a vulnerability database you will see around 800+ results most of which are vulnerabilities in the plugins.
• Defaults – Bots are programmed to look for default settings and files, if your wordpress admin is called “wp-admin” then the bot knows exactly where to go and what to do. Try not to use default file paths and settings.
• Passwords – Make these strong, with the power of 20 servers bad passwords merely delay the bots cracking attempts.
• Never use a password that is also a word that is used on your site, bots will profile the site and put them in list of passwords to try.
Self managed Servers/Hosting
Many people take on the task of looking after their own server, unaware of the complexity and extent of knowledge needed to keep the server and its users safe.
•Update – Make sure your server is updating as soon as updates are available. Just like the CMS platforms I talked about above, if you have programs running you don’t need, uninstall them, these are just another potential vulnerability.
• Don’t let your authentication mechanisms give out too many retry attempts 5 to 10 is apt.
• If a hosting server is compromised it’s possible for links/malware to be placed on all the websites hosted on the server, so make sure you have set up your file permissions and account privileges correctly.
That about wraps it up, like I said this is just a basic insight into this kind of activity and there are many methods and techniques used, we can never stop these villain’s but we can give them a much harder time.
Rootkit – http://en.wikipedia.org/wiki/Rootkit
Computer Vulnerabilities – http://en.wikipedia.org/wiki/Vulnerability_(computing)
XSS – Cross site scripting – http://en.wikipedia.org/wiki/Cross-site_scripting
RFI – Remote File inclusion – http://en.wikipedia.org/wiki/Remote_File_Inclusion
Backdoor Shell – http://en.wikipedia.org/wiki/Backdoor_Shell
Iframe Injection – http://en.wikipedia.org/wiki/Iframe_virus