Poisoned Search Engine Results : SEO Kits & Poisoning Explained

Part 1

Optimizing your website to appear high in Search Engine Result Pages is not rocket science or something only achievable to big brands.  Now, actively working on the immediate & on going steps to optimize your website,  with the end goal of increased visibility & click-through, indeed, has become more competitive.  Search engines’s algorithms are built on rules sets so we could call Search Engine Optimization a science as well as a niche artistry. Where does the art come into play? It comes from the creativity that will always be required for a stand out SEO. .Black Hat Search Engine Optimization

On the darker end of this creative spectrum lies a number of other techniques. Techniques that are quite creative but also against the code of ethics.   Its called”Black Hat SEO“.  It is not something new & has been around for quite some time here. Actually,  these type of techniques contribute to a huge percentage of the spam that resides on the Internet today. And not only, these SEO’s have contributed to the bad reputation that SEO’s have among consumers. Consumers that unwittingly put their full trust in Search engines &  click through malicious or affiliate laden links.    So we all are familiar with the mass production of spam by these techniques but the everyday user & beginning SEO’er may not be completely familiar with the practice of hacking for the purpose of ranking. When we start talking about hacking, we start to get into security risks and actual damage done to digital assets.  I recently ran into a situation in where a site, that I had recently signed to do work on had been compromised with an Black Hat SEO tactic called SEO Poisoning.

The problem stemmed from a number of issues that I will later discuss in detail. Issues such as; lacking authority to update the clients Content Management System, no access to cPanel & so forth . After Google notified me via webmaster tools with a letter stating that “Your site is comprised & distributing malware” I had to quickly change gears to gain further back end access, secure & repair the site as well as send in a site review request to Google.

What Is SEO Poisoning?

SEO poisoning is a term used to describe the process of tricking search engines to rank a given site higher then what it should on results pages. The sole  purpose of this attack is to rank a site for any given keyword & then redirect the click through  to another website. A rouge site that  is either filled with affiliate links or malicious code.  Completely irrelevant to your original search.  A search user is really setting themselves up for trouble if their search behaviors are hungry to find leaked videos of Miley Cyrus,  pictures of Jennifer Lopez or Kim Kardashian.  I was amazed to see the search traffic that is seeking to  investigate ‘if Justin Bieber really has a son?’ .  Besides all of this, it has been a problem in the world of search & its prevalence has increased. Security expert at Sophos, Graham Cluley , wrote that  SEO poisoning is one of the major methods of attack that we are seeing being used by online criminals.


The video below demonstrates how we can find SEO poisoning sites using Google Search.

How Is SEO Poisoning Implemented?

The bad guys make use of something called SEO Kits.  SEO Kits is the application that is used to create & command an attack . It is responsible for generating fake optimized pages for search engine crawlers with the end result of poisoning search results in order to redirect users to rogue sites.

What these  bad guys do is they stayed closely tuned with hot & trending buzz items. This is all very simple thanks to services such as Google Trends. However, SEO poisoning is not limited to just the buzzing or risque topics. How it starts is the attacker sends out a crawler or bot. Unlike a crawler such as, Googlebot, who will crawl your site looking for new pages & content, this bot crawls your site looking for vulnerable directories. Once the weak point in your webpage is identified, the attacker later will inject a malicious script. The attack is carried out via XSS or cross server scripting.

There is a commonality found between the compromised sites.The common point being the sites use the same Content Management System (CMS) with the high probably that these CMS’s were running outdated versions. These CMS include (and are not limited to) Joomla!, Wordpress, phpBB, MediaWiki, osCommerce, CMS Made Simple and Zen cart. So before we click over to our gmail & e-mail our webmaster to inquire if they know any web developers to build your site from the ground up, it should be known that these CMS’s are out in the open market to be studied for ZeroDay exploits.  Basically vulnerabilities that are not known by the developers.
On top of running an outdated CMS version attackers make use of exploited outdated  CMS plug­ins and extensions.

It is well known that the most common  attack today makes use of Iframes.  Commonly these SEO Kits or Black Hat Scripts are based off of PHP . They can make use of XSS and/or PHP for injecting the code. It is common to inject the kit into iFrames. Once the kit is uploaded to the server the attacker is enabled to execute commands on the server side .  This is where we find that they create further directories & pages that contain highly trafficked keywords. These newly created pages are poisoned to rank in SERPS. Once a visitor commits & clicks, directing their browser to the poisoned link, they will in turn be directed to a completely different site. Once again a spam site laden with affiliate links or malicious code.

As Search Engine Optimizers, Web Designers & Webmasters, we will have the increasing  need to be sure that our sites & clients sites are hardened & secure. To prevent Data loss, downtime & the headache of recovery.

Look forward to the continuation of this article titled Recovery From SEO Poisoning.


About the Author:

Family Man, Online Marketer, Social Media Manager, Search Engine Optimizer, Web Design, Governor at H2OSocial. +Ronnie Kirchner

Leave a Reply