Attackers' own tricks turned against them
Security researchers from Zscaler, a provider of cloud-based security solutions, have developed a Firefox extension aimed at protecting users from black hat search engine optimization (BHSEO) attacks. Dubbed Search Engine Security (SES), the add-on allows altering the Referer header, which tricks the malicious pages into not delivering their payload.
Black hat search engine optimization, otherwise known as search result poisoning, is the practice of hijacking popular search keywords and pushing malicious links at the top of search results in order to trick users into visiting them. This is currently one of the most common methods of distributing scareware, rogue applications that pose as antivirus products.
"Blackhat SEO has become the most prevalent threat facing end-users on the web today, surpassing social networking threats. Our research has shown that virtually any popular search term will contain malicious sites within the top 100 results at all major search engines including Google, Yahoo! and Bing. In some cases, up to 50% of search results are malicious. When combined with social engineering attacks such as delivering fake antivirus applications or fake software updates, these attacks are incredibly effective," Michael Sutton, VP of Security Research at Zscaler, explains.
The security industry has struggled to come up with an effective solution to block these attacks for a long while now. Practice has already demonstrated that blacklist-based approaches are ineffective, because attackers rotate the malicious links too quickly. Real-time scanning all pages shown in search results before the user actually visits them has brought strong criticism from web developers because the practice was generating extra and unnecessary traffic for their websites.
Zscaler's solution is simple and elegant, as it turns the attackers' own tricks against them. Before delivering the payload, most, if not all of these malicious pages check to see if the visiting user actually came through the poisoned search engine results. This is done by inspecting the Referer field in the request header sent by their browser. Attackers employ this method in order to prevent the landing page from being discovered by crawlers or other automated security scanners.
The Search Engine Security Firefox extension allows setting the Referer header to a particular URL for all major search engines. This will trick the BHSEO landing pages to no longer serve their payload to SES users. However, there are some legitimate uses for websites to know if a visitor came through a particular search engine. That's why the add-on also comes with a whitelist, where users can add exceptions for the websites they trust.
The Search Engine Security add-on can be downloaded and installed from here.
You can follow the editor on Twitter @lconstantin
New Firefox Extension Can Thwart BHSEO Attacks