IT security firm Sophos has conducted a new research which reveals the automated tools used by Search Engine Optimisation (SEO) hackers and how companies can protect themselves. Sophos said the business of using blackhat SEO techniques to impregnate legitimate sites has become a huge money-spinner for cybercriminals. Every day scores of new malicious campaigns are discovered taking advantage of the hottest news stories on the internet to spread malware; many of them profiting from high profile deaths and disasters.

Dubbed "Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware", the Sophos probing whitepaper analyses how attackers have created automated kits that use blackhat SEO methods, cynically exploiting tragic and salacious breaking news stories, to subvert legitimate websites for personal gain.

In the past, the deaths of celebrities such as Michael Jackson, Boyzone's Stephen Gately, and Natasha Richardson, and the marital problems of Sandra Bullock have all provided rich attractive content for hackers trying to take advantage of trending news stories. Only this week, after two suicide bombs exploded on the Moscow Metro, resulting in 39 confirmed deaths, Sophos warned that this is exactly the kind of incident that will mobilise blackhat SEO and malware gangs.

Faster Howard, principal virus researcher of Sophos, said when terrible tragedies take place, many people rush to the web to find out more and the cynical SEO hackers know this and take advantage.

"After the death of Sea World animal trainer by a killer whale, sick hackers automatically used blackhat SEO techniques to stuff booby-trapped web pages with related content. This kind of profiteering is not just distasteful, it's also potentially dangerous to millions of innocent internet users," Howard said.

The technical paper, by Sophos researchers Fraser Howard and Onur Komili, details how it has become routine for attackers to compromise web content in order to distribute malware with sites often being abused in a variety of different ways once compromised. According to the study, the commonly used blackhat tactics include: Fake antivirus, SEO page, blackhat SEO kits, SEO poisoning and search engine crawler.

Howard said at the centre of any blackhat SEO attack is the need to feed content to search engine crawlers (for them to add to their search results), while at the same time redirecting users who land on the webpage to a malicious site. Most blackhat SEO kits can tell the difference between a search engine visiting their site to crawl for content, a user visiting the site via a search engine link, and a curious party visiting the site directly.

While the growth in the use of blackhat SEO tactics is a growing problem, Sophos believes that IT and network managers can take a number of rudimentary steps to protect themselves.

As with many other web-based attacks, URL filtering and content inspections often provide the most effective protection against SEO attacks. Monitoring any currently active SEO attacks enables collection of the redirection URLs involved, which can then be appropriately blacklisted.

Howard concludes: "Malware distribution through SEO attacks can easily be described as beautiful in their simplicity but there are some effective measures that companies can take to protect themselves. By adding detection for the payload, as well as diligent monitoring and filtering inbound content, network managers can thwart an attack before it reaches the user. Providing detection for all relevant components provides the most effective protection."

Media release in PDF attached, download white paper from: