While performing unrelated attack trend analysis, I recently stumbled upon an interesting finding that further demonstrates the use of web application layer vulnerabilities for SEO purposes.

The scenario is quite similar to what was described in the article referenced above - attackers are abusing an Open Redirect vulnerability to promote a website. The twist however, is that in the current case, the redirection lands into a site, which contains a web page that reflects information about the PHP installation, and the current HTTP request (phpinfo)

Upon further inspection of the request's query parameters, it appears that the request is sent to the 'phpinfo' page with a serialized variable, called a[], and inside there is a link to the promoted webpage.

This attack abuses an XSS vulnerability discovered by Stephan Esser in 2005 http://www.hardened-php.net/advisory_182005.77.html , and a PoC released in 2007 http://www.exploit-db.com/exploits/3405/

By abusing this vulnerability, and using the open redirect, the attackers are managing to abuse a single open redirect to further promote on many vulnerable websites a link.

Looking at the data, we saw that the attacks originate from the following countries:

663     US

651     CN

133     FR

54       CA

43       BR

41       DE

40       ID

38       VE

34       RU

30       RO

28       PL

26       GB

21       UA

20       HK

19       IN

18       TH

14       TW

11       BD

10       AR

10       JP

The main exploited sites distribute across TLDs in the following manner:

180     com

154     de

45       net

44       tw

34       gov

32       ca

30       br

25       ru

20       int

17       ws

16       org

13       uk

12       fr

11       eu

9         it

9         hu

9         edu

8         es

7         dk

7         ch

An interesting trend on this kinds of SEO, is that traditional SEO was performed to promote specific domains, where a product is being sold. We are now seeing a new trend where XSS is being performed against digital properties under common service provider domains (ie. Social Networks, Video Sharing Sites, Forums) and products on common online sales sites.

The following are the Top 20 promoted domains:

Fake-Products-Store                     20405

Pirated-Software                             5874

Popular Forum                                4350

Popular Video Sharing Site             2952

Malicious Software                          2073

Black-Hat SEO Website                  3861

Travel and Tourism                         1776

Popular Video Sharing Site             1427

Fake-Products-Store                       1284

Popular Online Store                       1171

Popular Online Store                       1108

Popular Blogging Website                 981

Popular Social Network                     969

Gaming Blog                                      816

Music Video Sharing Platform           737

Real Estate Blog                                707

Game Blog                                         663

Veterans Blog                                    663

Public Library                                     618

Video Blog                                         603

 

Recommendations
It appears that certain vulnerabilities, which were once considered low-severity and thus were never prioritized to be fixed, are now resurfacing as a new tool for black SEO marketers to promote their sites. Web application owners should keep their infrastructure up to date, and of follow secure development best practices, avoiding Open Redirects and XSS vulnerabilities.

Setting up specific WAF rules to detect and block XSS attacks and Open Redirects will increase the level of protection as well, and provide visibility to URLs that malicious users attempt to target.

Be careful who you hire to provide your SEO services, Google provides some tips when choosing an SEO provider: https://support.google.com/webmasters/answer/35291?hl=en