Competition for dominance of search engine rankings is turning sour as rival companies sabotage each other's Web sites to trick search engines into mistakenly believing them to be spam sites.
Rivals are undermining each others search engine optimisation efforts by exploiting cross-site scripting (XSS) and SQL-injection Web site vulnerabilities to fool search engines into categorising them as malicious.
XSS and SQL-injections flaws have typically been used to create phishing scams or drive-by-download attacks that use malware to take control of a Web site visitor's machine.
However, in this case, the techniques can be used to destroy the visibility of a competitor through Google.
By exploiting flaws, such as using a Web feedback field to enter malicious code on a targeted Web site, an attacker is able to make the target site appear as if it were attempting to improve its rankings by forcing its own URL onto other Web sites.
"We are talking about including injecting spam links to a target site through cross-site scripting," Security-Assessment.com security researcher Roberto Suggi Liverani told ITradio.com.au.
"The attacker might use social bookmarks like Digg.com or Reddit.com... and can actually simulate persons with multiple accounts using the same IP address and spamming the URL of the target site. This makes it appear as if the site is self-promoting," he said.
The type of attack relies on the interdependent trust system that search engines use to rank Web sites, according to Liverani.
To mitigate the threat, Liverani said: "Always follow what's happening on your site... You can use the Google Webmaster tools, which are a way to communicate with the search engine."
The full interview with Roberto Suggi Liverani can be heard here.