• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Blackhat Search Engine Optimization (SEO) Injection

May 26, 2016 By Rob Collins

Today my boss couldn’t get to a website. Turns out, our WebBlocker service classified it as a Compromised Website. Great! Our WatchGuard Firebox was doing a good job. However, my boss knew the site, and the people behind it, so he wanted to know what was wrong with it.

A quick check on our Security Portal confirmed the classification, and csi.websense.com provided the reason: Injection.Black_SEO.Web.RTSS.

I’ve seen this before, so I knew what to expect. I created a WebBlocker exception for myself, allowing me to get to the site for a little research. It didn’t take too much time to find what I was looking for:

Black_SEO

Viewing the HTML source code on the site’s home page, I quickly found some additional code that the site owners probably aren’t aware of. The injected code is designed to “invisibly” open certain links without visually displaying much to a visitor. The goal of this type of attack is to falsely improve these links’ search engine results, since every user visiting this site will unknowingly open these injected links as well. This attack technique is some times called blackhat search engine optimization (SEO).

While this is a relatively harmless example of HTML injection (since it’s not trying to execute code on a victim’s computer), the presence of the unwanted code certainly means that someone has unauthorized access to this site. Unfortunately, until the site owners clean up this injected code, WebBlocker will continue to prevent users from visiting it. You could create an exception to allow the site, but I don’t recommend it.  While the attackers have only exploited this site for SEO Injection today, tomorrow they could use it to redirect visitors to a drive-by-download, maybe even leveraging underground toolkits like the Angler Exploit Kit.

Without knowing exactly how the attackers injected this code, I can’t give web masters specific secure development tips (other than visit OWASP.org for general web development best practices). However, I can share one universal tip. Don’t consider your web site “build and forget.” You need to at least control access to your site’s code, and regularly monitor it for code changes so you can identify this sort of malicious injection quickly.

— Rob Collins 

Share This:

Related

Filed Under: Editorial Articles

Comments

  1. Alan Mercer says

    May 26, 2016 at 10:48 am

    Hit this one last week as well on a local government site. Same site was found to be compromised last December as well. Both times I tried to contact the site admins and they hadn’t setup any of the standard emails such as [email protected], [email protected], etc…

    Hard to help the compromised sometimes.

    Reply
  2. Redacted says

    June 25, 2020 at 3:13 pm

    This was a perfect write up. I encountered this as well and I’m happy this article was at the top of google.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use