Deconstructing BlackHat SEO attacks and preventing them

TTH Labs - For the past few weeks The Tech Herald has been tracking an interesting BlackHat SEO campaign. It targeted trending keywords and topics related to the midterm elections, Halloween, Veterans Day and more, snaring an untold number of victims in the process. So what are these attacks? How do they work? What can you do as a webmaster to avoid them or avoid falling victim to them?

The BlackHat SEO (BHSEO) attacks we’ve been following have been running for months, but researchers recently noticed them towards the end of October, and they were present again during the recent midterm elections here in the U.S. Even now, with the elections over, topics related to them are still being targeted. On top of that, new keywords, related to Veterans Day for example, have taken hold.

The good news is that Google is getting quicker at flagging the malicious search results. However, the scripts running these attacks are so proficient, even if a poisoned result is only valid for a few moments, the criminals have a good chance of getting clicks.

If not, then they play the numbers game. For every domain that is blocked, two more will slip past the search engine’s filters. This is due largely to the distributed nature of the domains used in the attack. No single BHSEO script will control all of the domains used.

Most, if not all, of the BHSEO scams that make headlines leverage a number of techniques to push their sites to the top of the search listings. These techniques range from massive amounts of backlinks, to scraping Google Trends and related searches, generating pages designed for human eyes and separate pages for the Web crawlers themselves.

However, none of this works without a domain. The key to these attacks is an equal mix of otherwise legitimate domains and temporary domains setup on free hosting accounts or dynamic domains, such as the .CO.CC or .TK TLDs (Top Level Domains). This doesn’t account for the TLDs purchased in bulk, such as .BIZ, .COM, .NET, or .INFO.

During our research, we discovered two different scripts that were used to drive traffic to the malicious sites. The scripts were complex, when considering all that they do, but coded in a simplistic manner. They are easily modified, and easy to deploy from a criminal’s standpoint. They use very little server load, and unless you are hunting for them, or someone alerted you to their presence, you’d likely never know they were there.

The BHSEO campaign that we’ve been tracking started this summer, but grew in the final weeks of October. On the following pages, we’ll explain the attack, how it works, what it is, and what webmasters can do to prevent falling victim to them.

The attack we studied is ongoing. So because of that, we cannot name the innocent domains (the ones compromised by the criminals) we discovered, but we will share information on the domains that are malicious, as well as some of the code used in the attacks.

Researching BHSEO is a time consuming process. We wanted this report to get it right the first time. Given that a thorough investigation requires knowledge from various disciplines in the IT world, we have no problem crediting ESET for their help in confirming our findings and looking at the scripts we discovered. In addition, we’d like to give a hat tip to Sean-Paul Correll at Panda Security for sparking our interest in BHSEO research and showing us the ropes.

What is BlackHat SEO?

Simply put, Search Engine Optimization (SEO) is used to boost a domain’s ranking. The better the SEO, the higher a site will appear in the search result listings for select keywords.

Search engines have a set of rules for wembasters to abide by when using SEO techniques on a website. The easiest split between normal SEO and BHSEO is that the shady webmasters care little for the rules.

SEO and BHSEO have the same goal in mind, website promotion. SEO plays a big role in the advertising and marketing world. Likewise, BHSEO is heavy in the criminal world for the same reason; both sets of webmasters need their sites to rank high to earn money.

Most Rogue anti-Virus campaigns use BHSEO techniques to propagate their malicious software. Such was the case in the attacks we followed, which isn’t much of a surprise. However, criminals were also using these recent attacks to spread a wide range of Malware, delivering it as software updates and codec files.

To a person running a BHSEO campaign, the financial payout comes from PPI-based affiliate programs or simple advertisement placement. The criminals propagating the Rogue anti-Virus applications or other malicious downloads do so in order to obtain any registration fees that come from victims infected with Rogue anti-Virus installs, as well as payment for getting the consumer to install the application itself.

This type of payment is known as Pay-Per-Install, or PPI. PPI programs will pay a person a set amount for application installations, as well as a set amount depending on where the person lives. It’s common for persons living in The United States to hold a higher PPI value over those living in the United Kingdom for example. For this reason, BHSEO is used to spread the coverage of a domain and open it to a wider viewing audience.

While we focus on BHSEO as a means to spread malicious content, more often than not it is used to monetize bulk sites that are misrepresenting content and cheating the search engines. Not every webmaster deploying BHSEO does so with the intent of building a botnet or spreading Malware.

For example, shady PPA (Pay-Per-Action) affiliates will use BHSEO to trick you into filling out surveys and entering junk contests. Some harvest the data entered into the forms and sell that on top of collecting a fee for you filling out the form.

It’s sad, but those using BHSEO to promote sites, either for traffic or Malware installation, can earn thousands of dollars a week, sometimes more. This makes it highly attractive to webmasters, and creates a rat race for search engines like Google and Bing. The rat race is a game that forces the search engines to keep up with the latest BHSEO tricks and how to foil them, without penalizing legitimate marketing efforts, something that is easier written than done.

The discovery:

To steal a phrase from a Sean-Paul Correll, what we discovered while researching the attacks is comparable to a leaf on a tree. However, this leaf is comprised of 28 domains, which were responsible for 8,575 poisoned keywords and phrases, of those 3,060 were unique. One site was responsible for 656 poisoned searches alone, while the others stayed in the 310-350 mark. Some sites used the same keywords, while others would spread things around.

Keywords ranged from electoral related topics (politicians, prop 19, local races, national coverage, voter registration), sports related (athlete names, team related searches, sporting events, team standings), holiday related (Halloween, Valentines Day, Hanukkah, Thanksgiving, Veterans Day), TV shows, movies and actors, environmental issues, recording artists, and random topics such as exclusive resorts and YouTube downloads.

In addition, these domains were all backlinked to one another, creating a web of keywords and specialized content on the fly. Moreover, every single domain we discovered was compromised. They ranged from personal and hobbyist domains, to businesses in the IT and merchandise markets.

As we mentioned, BHSEO attacks need a domain to work. Once the domain is captured by the criminals, then the content generation scripts are uploaded and managed from there. Each compromised domain had some interesting shared traits; all of them used an open source CMS or website template system, they were often running outdated software, and several were seemingly abandoned by the owner.

OS Commerce was the most popular script hijacked. Investigation showed that the compromise came from misconfiguration or script vulnerability in the case of older installations. There are several published exploit examples that target the shopping cart script, including SQL Injection, XSS, Remote File Inclusion, and file upload and execution. While most of the vulnerabilities have been patched by the development team that produces OS Commerce, the updates were missing in each of the compromised sites we observed.

After OS Commerce, Joomla installations, followed by WordPress, were the second and third most common traits on the compromised domains. Simple Machines Forum (SMF), with Tiny Portal, and sites driven by template systems, such as “Free CSS Templates”, round out the compromised domain commonalities.

It is worth noting that many of the compromised sites were using “one-click” installations, meaning their webhost offered them a control panel with the option to install the CMS with little work on the webmaster’s part.

The problem is that these point and click installations are not kept on a solid update schedule, and as a result are often vulnerable for a longer length of time. It is easier to install such CMS systems and portals using the official downloaded source, and install things on your own.

The scripts:

The scripts we discovered pushing the BHSEO campaigns work by scraping content. One will use keywords and display HTML content, and the other will include HTML content as well as image-based content that is relevant to the hijacked search term.

The first script, so.php, was discovered in a WordPress driven website. The file can generate content on the fly to make it search relevant, and it does so by checking:'keyword''keyword'

In this case, ‘keyword’ is the search term. The second script, Thumbs.php, does the same thing as so.php, but it will add images to the mix. If the generated page is being indexed by a search engine, the content is different. It’s optimized to be read by the search bot. However, if the page is generated by a human, then it will display readable content and images, while loading a redirector script that pushes the Malware or Rogue anti-Virus software.

[SO.PHP source code.]

An interesting aspect to the scripts is that they pull a majority of the malicious source code from external sites. These external domains, outlined below, are what run the Malware side of the BHSEO campaign.

Depending on the referral headers, if the user comes from Google, Yahoo, Bing, AOL, MSN, or Comcast, then they are considered a good user. Good users are redirected to one of two domains.

If they use Firefox, then they are directed to for a fake Firefox update. This update is Malware, and as this report is written, some variants are well detected by anti-Malware vendors, while others have spotty signature detection. However, behavioral detections are likely to lessen the protection gap in many cases.

Internet Explorer users deemed good are sent to, where they are presented with a fake codec page. If the codec is installed, then the system is infected. Like the Firefox attack, the Malware delivered in this attack is widely detected in some cases and spotty in others.

However, some sites also leverage PDF vulnerabilities, to if you are running under patched Adobe software, your risk doubles and in some cases, anti-Malware will not help you.

Users on Macintosh or Linux are send to an RSS feed for a generic looking blog. During our research, this RSS feed never updated itself. We also observed that the malicious redirect would only happen once. Revisiting the site a second time would simply show the created content and nothing else.

Each of the two scripts has a set of domains that are obfuscated in the opening function of the code. These domains will insert JavaScript, which is where the actual attack takes place. While the source code for so.php is linked above, the images below are of the obfuscated domains and the elements they add to the script. Along with the actual malicious redirect, the criminals also use traffic counters.

There are two external domains used; during page creation, only one of them is added to the final source. The IP address seen is a server in Bosnia, the server itself has been active for some time and is used as a C&C and delivery point for malicious payloads.

In addition to the BHSEO activities, this server was used in the SQL Injection attacks that hit domains hosted by GoDaddy and used them to serve malicious JavaScript. Recently, activity on this server has faded, but reports on it from Google link it to more than 4,000 infected domains during the last 90 days.


What you can do to prevent falling victim to these attacks:

So far, this report has been aimed at the general webmaster. However, hardening servers and securing websites can be a daunting and confusing task. When you search for items such as hardening Apache or hardening PHP, mostly you come across forum posts and lists created early last decade, and almost all of them are “my lists are better than yours” type of posts.

Two things to consider when using the advice in those lists are that they are old, and no server installation is equal to another. Also, most of the tips require a level of access many webmasters do not have on their servers. Shared hosting is just that, shared. This is a great option price-wise, but it comes at the expense of security depending on the host.

Shared hosting means your website is on a server with dozens, sometimes hundreds, of others. While you can take steps to prevent your domain from being attacked, if one of the other domains falls, then you are still vulnerable. All an attacker needs is one vulnerable site, and then they can move on to take the rest of the server. In many of the compromised sites observed for this report, this was exactly the case.

Starting with the assumption that you are on shared hosting, the best bet is to talk with your host. See what they are doing to protect the server from attack, including the use of layered firewalls (software and hardware), IDS and IPS, as well as maintaining stable releases of things like Apache, PHP, and mySQL.

Do they use Suhosin to added extra protection to PHP? If they use cPanel and Fantastico, do they prefer you install things like WordPress or Joomla from there or on your own by hand?

Below is a list of some considerations aimed at webmasters on shared hosting. It isn’t an all inclusive list, but more of a starting point. Feel free to leave a comment if you want to see something added.

- Research any given CMS solution fully before installation, not just for features and benefits, but research the developers of the CMS. Search for topics related to user complaints or notices of existing security flaws or issues. Make sure these are addressed.

- Skip automated installations and install things like Joomla, OS Commerce, or WordPress by hand. Fantastico is a great tool, but it sometimes installs older software, and updates are harder to apply in some cases. Most major projects make this a simple chore, and have large amounts of step-by-step documentation.

- Once installed. Join the community that surrounds the CMS project. Use it to stay up on the latest news and security issues. Follow security or development related blogs as well on the project site. The community is also a great place for support, and feedback.

- After that, you need to make sure the CMS software is kept updated. To do this, it is important to install new updates as soon as they are released. This will help prevent problems related to the fixed flaws from coming back to haunt you. If you grow tired of using the software, remove it rather then leavening it abandoned.

- Make sure that file and folder permissions are kept to the lowest possible settings. This means you should avoid leaving everything set to 755 or 777. Doing so can allow outsiders access to read, write, or execute files on your account, something that as a webmaster you want to avoid.

- Strong passwords on your accounts (email, FTP, CMS admin, etc.) are great habits to form. However, on shared hosting it won’t help if your domain is compromised via another account that didn’t take similar precautions. You should always do this, but don’t rely on it as the largest part of the security lockdown.

- Always use a unique password and email address for managing your domain. Never use the same password on your website as you would for online banking, social networking, or webmail.

- FTP accounts should be allowed sparingly. You really only need one FTP account to manage a website. However, if others are needed, then use the control panel offered by your host to lock the FTP account into a single directory. Also, disable anonymous FTP and avoid it at all costs.

- Never share primary access or administrative access with anyone hired to work on your site. Always create a new user and keep the permissions set to the minimal possible. In the rare case that you are required to give administrative access out to someone, change your password temporarily while the work is being performed, and then back once it is complete. Always delete inactive users immediately or change their passwords if they may be used again.

- Once things are locked down, make it a point to inspect the web directory once a month for new files. You can use Google to show you a list of everything that has been indexed. Just enter your full URL into the search. If you notice something is off, ask your host for help.

The next page is for webmasters who have more control over their hosting accounts.

Assuming you have more control over your hosting there are other considerations you can use to harden your site from attack. However, many of them require the usage of a semi-dedicated or dedicated server. As a note, none of these will be of use if you use a Reseller hosting plan, which is still shared hosting, but on a larger scale.

First, be ready to admit defeat. When it comes to securing your server, it isn’t something to take lightly, if you need help then its ok to look to an outside source if they are trusted. Check Webhosting Talk or the cPanel Forums for recommendations on contractors to use.

If the terms allow_url_fopen, magic_quotes_gpc, or open_basedir are not known to you, then you should hire an outside agent to check and secure your system. Should those terms seem familiar, then the list below has some things to check and secure when it comes to PHP.

[Note that some of these items are DEPRECATED in PHP 5.3.x and will be removed. Keep track of changes like these via the PHP documentation. When in doubt, hire an expert for help.]

- Disable these functions via the PHP.ini: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open.

- Enable and correctly configure oper_basedir to limit PHP from accessing files outside the assigned directories. For example:
open_basedir = "/var/www/sitename/:/usr/local/php/"

- Disable safe_mode and magic_quotes_gpc in the PHP.ini.

Magic Quotes existed to help against SQL Injection. However, it was deprecated in PHP 5.3.x. The PHP manual explains it best, “There is no reason to use magic quotes because they are no longer a supported part of PHP.”

- Ensure that allow_url_include and allow_url_fopen are turned off.

- Disable register_globals in the PHP.ini.

- Install and run the PHPSecInfo script from the PHP Security Consortium. You can learn more here.

- The PHP Security Consortium also has a handy security guide for PHP. You can read it here.

- Set a strong MySQL root password, and share it with no one. Any MySQL account created for a given script should have the least amount of access needed to work. Take care to remove unneeded access and permissions. Also, like the root account, create a unique and strong account password for each MySQL account created.

- If you’re able to use it, then mod_security for Apache is a great tool. Check with your host for any potential problems before you install it. Also, if you need help, remember to go to an expert or check out the community surrounding the project. While it was purchased by Trustwave, it is still open source.

- cPanel has produced a list of things for administrators to consider for security. A top ten list is here.

When you manage your own server, it cannot be stressed enough that security needs to be a primary area of research. There is no one-time fix. If you need help, hire an outside resource or check with your host and inquire about security services. Doing so will help prevent your domain from falling victim to criminals wanting to use it to further their BHSEO schemes.

Like this article? Please share on Facebook and give The Tech Herald a Like too!