Akamai Diversity
Home > Web Security > Open Redirect, XSS and SEO Attacks

Open Redirect, XSS and SEO Attacks

A couple of months ago, my colleague Or Katz published an article about an interesting trend that he uncovered, in which Black Hat SEO marketers where abusing Open Redirect vulnerabilities on popular websites to increase the popularity of advertisement sites.

While performing unrelated attack trend analysis, I recently stumbled upon an interesting finding that further demonstrates the use of web application layer vulnerabilities for SEO purposes.

The scenario is quite similar to what was described in the article referenced above - attackers are abusing an Open Redirect vulnerability to promote a website. The twist however, is that in the current case, the redirection lands into a site, which contains a web page that reflects information about the PHP installation, and the current HTTP request (phpinfo)

Upon further inspection of the request's query parameters, it appears that the request is sent to the 'phpinfo' page with a serialized variable, called a[], and inside there is a link to the promoted webpage.

This attack abuses an XSS vulnerability discovered by Stephan Esser in 2005 http://www.hardened-php.net/advisory_182005.77.html , and a PoC released in 2007 http://www.exploit-db.com/exploits/3405/

By abusing this vulnerability, and using the open redirect, the attackers are managing to abuse a single open redirect to further promote on many vulnerable websites a link.

Looking at the data, we saw that the attacks originate from the following countries:

663     US
651     CN
133     FR
54       CA
43       BR
41       DE
40       ID
38       VE
34       RU
30       RO
28       PL
26       GB
21       UA
20       HK
19       IN
18       TH
14       TW
11       BD
10       AR
10       JP

The main exploited sites distribute across TLDs in the following manner:

180     com
154     de
45       net
44       tw
34       gov
32       ca
30       br
25       ru
20       int
17       ws
16       org
13       uk
12       fr
11       eu
9         it
9         hu
9         edu
8         es
7         dk
7         ch

An interesting trend on this kinds of SEO, is that traditional SEO was performed to promote specific domains, where a product is being sold. We are now seeing a new trend where XSS is being performed against digital properties under common service provider domains (ie. Social Networks, Video Sharing Sites, Forums) and products on common online sales sites.

The following are the Top 20 promoted domains:

Fake-Products-Store                     20405
Pirated-Software                             5874
Popular Forum                                4350
Popular Video Sharing Site             2952
Malicious Software                          2073
Black-Hat SEO Website                  3861
Travel and Tourism                         1776
Popular Video Sharing Site             1427
Fake-Products-Store                       1284
Popular Online Store                       1171
Popular Online Store                       1108
Popular Blogging Website                 981
Popular Social Network                     969
Gaming Blog                                      816
Music Video Sharing Platform           737
Real Estate Blog                                707
Game Blog                                         663
Veterans Blog                                    663
Public Library                                     618
Video Blog                                         603
 

 
 

Recommendations
It appears that certain vulnerabilities, which were once considered low-severity and thus were never prioritized to be fixed, are now resurfacing as a new tool for black SEO marketers to promote their sites. Web application owners should keep their infrastructure up to date, and of follow secure development best practices, avoiding Open Redirects and XSS vulnerabilities.

Setting up specific WAF rules to detect and block XSS attacks and Open Redirects will increase the level of protection as well, and provide visibility to URLs that malicious users attempt to target.

Be careful who you hire to provide your SEO services, Google provides some tips when choosing an SEO provider: https://support.google.com/webmasters/answer/35291?hl=en

Leave a comment