SEO poisoning attack hits big sites; Can the defenses scale?

SEO poisoning attack hits big sites; Can the defenses scale?

Summary: Security researcher Dancho Danchev said Friday that SEO poisoning attacks have scaled up and are attacking well known sites. Google has been filtering its results as a defense, but Danchev's latest finding brings up an interesting question: Can the defenses scale?

SHARE:
TOPICS: Google, Security
46

Security researcher Dancho Danchev said Friday that SEO poisoning attacks have scaled up and are attacking well known sites. Google has been filtering its results as a defense, but Danchev's latest finding brings up an interesting question: Can the defenses scale?

First, a few key points. SEO poisoning isn't new. In fact, targeted IFRAME attacks have been around for months. Danchev's point (Techmeme):

What has changed since the last time? The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves.

These attacks are impacting ABCNews.com, News.com, Target.com, Walmart and dozes of other sites.

Danchev's findings are a must read--especially if you follow all the coding behind the scenes. But these attacks have a whack-a-mole quality to them. These attacks keep popping up and at some point you get tired of whacking them. What will be interesting to watch is how Google's defenses scale up in defense of these attacks. Google can scale. And malicious hackers can scale. It's an interesting race to say the least.

Topics: Google, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

46 comments
Log in or register to join the discussion
  • SEO?

    Sorry, may I have an expansion for the acronym?
    DannyO_0x98
    • SEO...

      Search Engine Optimization.
      mrOSX
      • Thank you

        Thanks for the clarification. While my life is TLAs, every once in a while, I need help.
        cynic8
        • Oh really? Trans Linear Accelerators?

          Facinating! ;)
          JCitizen
  • RE: SEO poisoning attack hits big sites; Can the defenses scale?

    What the hell is Dignan talking about?
    plainstreet@...
  • It's very rude not to explain your acronym at least once in the story.

    Especially in a field as filled with TLA (three letter acronyms) and overloaded operators (abbreviations which can mean more than one thing and whose meaning is determined by the context) as computing.

    See, it is not hard. Just expand the TLA the first time you use it -- and thereafter everyone knows what you mean.

    Regards,
    Jon
    JonathonDoe
    • It used to be standard practice...

      "See, it is not hard. Just expand the TLA the first time you use it -- and thereafter everyone knows what you mean."

      This used to be standard practice in any book, newspaper or magazine article. When the author fails to do so, one wonders if they author actually knows the meaning of the acronym or abbreviation he/she employs.

      Even with the acronym defined, I have no idea what the author is trying to say. Does anyone?
      cdgoldin
    • SEO = Search Engine Optimizer

      It would seem that these scum bags have come up with a way to hack the Google optimizer which puts various sites on the first page of your search depending on a number of factors. These include how relevant they are to your search plus the frequency they are selected as the link being searched for. Basically by hacking their way to the all important first page these miscreants have increased the likely hood that some poor surfer is going to pick their mal ware infested website.
      maldain
    • Leaves me feeling rather dumb and silly...

      Well, it all sounds very intriguing, if only I knew what on
      earth you were talking about. What do "poisoning" and SEO
      mean please in the context used? What does "poisoning" do
      to or on a site, and what are the effects? I am just a 71 year
      old dumb, retired magistrate but your interesting-looking
      post means nothing to me! Help us out please!
      quark@adept.co.za
      quark@...
    • Leaves me feeling rather dumb and silly...

      Well, it all sounds very intriguing, if only I knew what on
      earth you were talking about. What do "poisoning" and SEO
      mean please in the context used? What does "poisoning" do
      to or on a site, and what are the effects? I am just a 71 year
      old dumb, retired magistrate but your interesting-looking
      post means nothing to me! Help us out please! auldsod504
      quark@...
    • Rude acronyms...

      Yes, my thoughts exactly. It is Bad Journalism to not define your acronyms at the beginning of the story. Did you notice how many supposedly knowledgeable readers (including me) did not know what the hell this story was about.
      mach37
  • First understand iFrames

    To understand what an SEO poisoning attack is you have to understand iFrames.

    http://en.wikipedia.org/wiki/IFRAME

    Here's a pretty good overview of how iFrame injection works.

    http://www.informationweek.com/blog/main/archives/2008/03/developers_chec.html

    My opinion is it stems from developers being pushed to get applications online before data validation has been implemented. It's hard to debug regular expressions. Makes my eyes bleed.

    So there's a little developer hesitancy combined with management pushing a schedule and there you go. SEO injection attacks on a wide scale.

    You can minimize your exposure by not surfing with Windows and IE. Surf with Linux and Firefox running NoScript, or at least get Firefox and install NoScript.

    http://noscript.net/features
    Chad_z
    • [b]Thanks 4 the lesson Chad. ;) N/T[/b]

      Thanks 4 the lesson Chad. ;)
      BigThunder1
  • So Everyone's On their own; SEO is a baseball player for the Yankees!

    Go go Gadget...the Scmidt Team is out in Full Bores and Shamrock milk crates. The grey ones from White Brothers are really tall.
    rtirman37@...
  • Goooooogle

    Search engine optimization (SEO) is the process of improving the volume and quality of traffic to a web site from search engines via "natural" ("organic" or ...
    hugh@...
  • I joined a neighborhood watch group

    I stand at attention in my front window all day.
    BALTHOR
  • RE: So does [i]anyone[/i] besides Chad_z have [i]anything[/i]...

    ...constructive to add rather than bickering and sarcasm, or relay things such as BALTHORs daily ritual moronic state of personal affairs?
    BigThunder1
    • I do.

      Use FireFox.

      Install the CustomizeGoogle addon in Firefox.

      Install the Greasemonkey addon in Firefox.

      Block the *.cn and *.ru (and most likely, all the "*stan") domains using the "Filter" feature in CustomizeGoogle.

      Load the "Remove Filtered Google Search Results" user script in Greasemonkey.

      That'll take care of a lot of the current problems.
      Hallowed are the Ori
      • Good advice John...

        I use Ff religiously and wouldn't be without it.

        Here's a little something I ran across some time ago and have been using successfully to block most general adv servers which may or may not help in this regard, but all the same worth having in ones arsenal IMO. It's a little application called The AD-Police. Not perfect, but does catch/stop a lot of the banners and adv's from known servers that clutter up your browser pages and slow loading time not caught by others.

        here... http://www.download.com/The-Ad-Police/3000-2144_4-10405089.html
        The site link from Download[dot]com goes here... http://www.freewareplaza.com/downloads/advertisment-blocker/ad-police-free-advertisment-server-blocker.html

        I know this really has no direct effect on the subject matter here, but every little bit may help in the long run. It takes a little effort, but the source URL list can be edited if you happen to find a known server/source supporting SEO & iFrame injection.

        Enjoy...
        BigThunder1
        • No direct affect?

          Since ads use this tech to place content in the HTML field on the page why wouldn't blocking the ad put quite a few of these exploits out of business?

          Sounds like your on target to me?!
          JCitizen