Creating News for Blackhat SEO

Spammers and scammers are no longer content with exploiting real news events for their personal gain - they're now creating their own news to earn money through affiliate programs using blackhat SEO techniques.
Blackhat SEO is when spammers and scammers use various dirty tricks to get links to their pages to show up near the top of search results on search engines. It's been a problem for a while, and scammers recently exploited the Haiti disaster and the Olympics to get malicious links at the top of search results pages.
It now appears that they aren't waiting for news to break anymore – they're actually creating fake news. While monitoring searches for trending topics for malware, we came across a large set of malicious links for a search for 'famu sextape link'. The amount of spam links was way higher than any other trending search topic – 9 out of 10 results were links to the same fake search engine affiliate page. We did some research, and it appears that the 'famu sextape' was actually a hoax – spammers spammed links to college students, and eventually people started searching for the real sex tape that never existed. Once the term started showing up in search trend pages, other scammers started exploiting it and putting up their own pages.
 One very interesting thing about this is that some of the links showing up on search engines were to .edu sites – clearly targeting college students. These sites were all compromised by hackers and a variety of redirection techniques were used to get clickers to the fake search engine page:
  • A HTTP 302 redirection to another page on the same server with some obfuscated Javascript code:

  • That Java code evaluates to a document.write() call that embeds a Flash file in the page:

  • This Flash file is only 229 bytes long and contains a single line of code that executes more obfuscated Javascript:

  • This obfuscated javascript redirects to yet another page:

  • This page then uses a couple of HTTP 302's to redirect to the fake search engine affiliate page that shows 'sponsored links'. 
These techniques make it difficult for search engines to keep up with the spam links. The initial pages look fine – just some javascript, then a Flash file. Unless the search engines are parsing the Javascript and SWF to follow all of the links, they'll never know what the true destination of the page is.
While this specific example doesn't lead to anything malicious, these same obfuscation and redirection techniques are used to spread malware. They are commonly seen in exploit packs, such as Gumblar. This shows that you can't always trust the hosts that search engines point to. A seemingly benign-looking EDU hostname could be a compromised site redirecting your browser to malware.
To help combat the malware threat on the web, make sure your Antivirus software is always up to date. It also helps to enable blacklisting on browsers that support it, such as the 'Block reported attack sites' setting in Firefox:


Category Article

One Response to “c0decstuff”

What's on Your Mind...

Thank f' u C0mment