A couple of months ago, my colleague Or Katz published an article about an interesting trend that he uncovered, in which Black Hat SEO marketers where abusing Open Redirect vulnerabilities on popular websites to increase the popularity of advertisement sites.
While performing unrelated attack trend analysis, I recently stumbled upon an interesting finding that further demonstrates the use of web application layer vulnerabilities for SEO purposes.
The scenario is quite similar to what was described in the article referenced above - attackers are abusing an Open Redirect vulnerability to promote a website. The twist however, is that in the current case, the redirection lands into a site, which contains a web page that reflects information about the PHP installation, and the current HTTP request (phpinfo)
Upon further inspection of the request's query parameters, it appears that the request is sent to the 'phpinfo' page with a serialized variable, called a[], and inside there is a link to the promoted webpage.
This attack abuses an XSS vulnerability discovered by Stephan Esser in 2005 http://www.hardened-php.net/advisory_182005.77.html , and a PoC released in 2007 http://www.exploit-db.com/exploits/3405/
By abusing this vulnerability, and using the open redirect, the attackers are managing to abuse a single open redirect to further promote on many vulnerable websites a link.
Looking at the data, we saw that the attacks originate from the following countries:
663 US651 CN133 FR54 CA43 BR41 DE40 ID38 VE34 RU30 RO28 PL26 GB21 UA20 HK19 IN18 TH14 TW11 BD10 AR10 JP
The main exploited sites distribute across TLDs in the following manner:
180 com154 de45 net44 tw34 gov32 ca30 br25 ru20 int17 ws16 org13 uk12 fr11 eu9 it9 hu9 edu8 es7 dk7 ch
An interesting trend on this kinds of SEO, is that traditional SEO was performed to promote specific domains, where a product is being sold. We are now seeing a new trend where XSS is being performed against digital properties under common service provider domains (ie. Social Networks, Video Sharing Sites, Forums) and products on common online sales sites.
The following are the Top 20 promoted domains:
Fake-Products-Store 20405Pirated-Software 5874Popular Forum 4350Popular Video Sharing Site 2952Malicious Software 2073Black-Hat SEO Website 3861Travel and Tourism 1776Popular Video Sharing Site 1427Fake-Products-Store 1284Popular Online Store 1171Popular Online Store 1108Popular Blogging Website 981Popular Social Network 969Gaming Blog 816Music Video Sharing Platform 737Real Estate Blog 707Game Blog 663Veterans Blog 663Public Library 618
Video Blog 603
Recommendations
It appears that certain vulnerabilities, which were once considered low-severity and thus were never prioritized to be fixed, are now resurfacing as a new tool for black SEO marketers to promote their sites. Web application owners should keep their infrastructure up to date, and of follow secure development best practices, avoiding Open Redirects and XSS vulnerabilities.
Setting up specific WAF rules to detect and block XSS attacks and Open Redirects will increase the level of protection as well, and provide visibility to URLs that malicious users attempt to target.
Be careful who you hire to provide your SEO services, Google provides some tips when choosing an SEO provider: https://support.google.com/webmasters/answer/35291?hl=en