Imperva Releases Details of how Search Engine Poisoning (SEP) Works
June 2011 by Marc Jacob
Imperva released its second Hacker Intelligence Initiative (HII) report that discloses the intricate workings of a ‘Search Engine Poisoning’ (SEP) campaign. The attack, witnessed by Imperva’s Application Defense Center (ADC), was extremely successful and continued to run for at least 15 months without any apparent counter-measures employed by search engines. This acutely illustrates how websites – often unbeknownst to their administrator - and Web search engines become the conduit for these types of attack and demonstrates that more needs to be done to stop malware being spread in this fashion.
SEP in a Nutshell
Search Engine Poisoning attacks manipulate, or “poison”, search engines to display search results that contain references to malware-delivering websites. There are a multitude of methods to perform SEP: taking control of popular websites; using the search engines’ “sponsored” links to reference malicious sites; and injecting HTML code.
SEP is an extremely popular method used by hackers to widely spread their malware. Attackers exploit XSS to take advantage of the role of third-party websites as mediators between search engines and the attacker’s malicious site.
Amichai also advises Search Engine providers, “Current solutions which warn the user of malicious sites lack accuracy and precision whereas many malicious sites continue to be returned un-flagged. However, these solutions can be enhanced by studying the footprints of a SEP via XSS. This allows a more accurate, and timely notification, as well as prudent indexing.”
Imperva’s Hacker Intelligence Initiative reports, issued monthly, are created to give a better understanding of the latest threats coming from hackers - by investigating hacker forums and monitoring attack traffic, to help organizations better protect themselves.