Software

Google Instant: Is it a pawn for Blackhat SEO?

Learn how Blackhat SEO is used to improve the search ranking of malicious web pages and why search engines are accepting them.

Learn how Blackhat SEO is used to improve the search ranking of malicious web pages and why search engines are accepting them.

----------------------------------------------------------------------------------------

This article was supposed to be solely about Blackhat SEO and its implications. During my research, I came across a new exploit, and experts are saying it's Blackhat SEO on steroids. So, plan B.

Before I get to the details, I want to show you what diverted me. I started typing antivirus into Google's web page. As you can see below, I only got to anti and search suggestions started popping up.

Okay, that's cool. I remember reading that Google rolled out a new technology called Instant. It attempts to predict what search terms I want and provides suggested links in a drop-down box. After the initial "wow factor" wore off, I realized the first suggestion Google offered was antivir solution pro.

In the world of IT security, that's a problem. Antivir Solution Pro is a rogue anti-spyware application laced with malware. Once installed, it hijacks the computer and inundates users with fake security pop ups. The ultimate scam comes into play when users are asked to buy a license that does absolutely nothing. I can't believe Google allowed that.

Well, I overreacted somewhat. The links associated with Antivir Solution Pro ended up being not what I thought. Google returned pages on how to remove the malware. That's a relief.

The real issue

My next question was: Are the links for real? Antivir Solution Pro is all about spoofing users. It turns out that's a good question. Apparently, there is a new and troublesome exploit that we need to be aware of. It has to do with SEO. That acronym may not mean the same to everyone, so let's define it to avoid confusion.

SEO

Search Engine Optimization (SEO) is a process used to improve the ranking of a web site in search engines like Google and not to be confused with Search Engine Marketing (SEM), where web-site owners pay to increase their site's visibility in search-engine results. SEO uses unpaid or organic methods to increase a web site's ranking. It's a fascinating subject, with many papers written on how to achieve SEO.

I'm not the only one. Cybercriminals are also interested in SEO, but for a very different reason. In fact, what they are doing has gained enough notoriety to have its own special name.

Blackhat SEO

Originally, Blackhat SEO was the process of optimizing search engine results, but in an unethical manner. Some of the methods used are:

  • Keyword stuffing: The idea is to have a list of keywords on the web site and not much else. It will elevate the domain name's ranking for awhile.
  • Invisible text: A sneaky trick of having a large number of keywords in white text on a web page with a white background. We can't see it, but it will attract web crawlers.
  • Doorway Pages: A fake page that visitors never see. It also is full of keywords and meant to fake search-engine spiders into elevating the site's ranking.

Blackhat SEO becomes nasty

Today, Blackhat SEO has grown to include techniques for elevating not just any link, but ones pointing to malicious web sites. Julien Sobrier, a security researcher at Zscalar has determined over 50 percent of individual search results contain at least one malicious link in the first 10 pages. In some cases where the search is about a popular topic, 90 percent of the first 100 links were pointing towards malicious sites.

In this video, Mr. Sobrier goes over his findings. He explains that before attackers start using SEO, they use search engine results to determine popular trends. Then they leverage SEO methods to further elevate malicious web sites based on one of the popular trends. Let's take look at the process.

Popular trends

The bad guys use trending to determine what is popular at any given time. Google Hot Trends is one web site that they use:

The next step is to build a malicious web site that employs search terms, dates, and actual sentences found in the link information for one of the popular sites. If done properly, search engines will quickly start pointing at the newly-built malicious web site and give it a fairly decent ranking.

Another possibility is to find some vulnerability, hijack a legitimate web site that is popular, and add their malcode. Mr. Sobrier mentions that using robot.txt, image folders, or .files make it difficult for the responsible web master to see what's happening.

The first hint that something's wrong is the malicious site rarely looks as expected. Instead, it tells the victim there is a problem. The computer is infected with malware, the video codec is wrong, or some application needs to be updated. As you can guess, following the advice will install the attacker's malware.

Elevate ranking

Not satisfied with initial rankings, cybercriminals use a unique method to improve site rankings. The corrupt web site is set up to glean information from the request traffic's referrer. The attackers want to learn where the request came from -- Google, Bing, or Yahoo for example. Knowing this allows the attackers to index the query at the appropriate search engine, elevating the web page's ranking.

Blackhat SEO plus Google Instant

Now, that we have an idea as to how Blackhat SEO and Google Instant work, I'd like to tie everything together. Let's see if this is the perfect storm some are predicting.

Trying to spot links that point to malicious web sites is difficult to say the least and has been a thorn in Google's side for quite some time. Actually, all the major players in the search field are working on this, but nobody has a real solution. So that's problem one.

Remember I mentioned that attackers rely on what is popular at any given moment. Google Hot Trends appears to get updated daily, but Google Instant is real time. So the bad guys know right away which search terms are the optimal ones to use. Between these two, I don't see how it can get any better for cybercriminals. There are some things we can do though.

Partial solutions

It doesn't seem like much help, but Google Instant can be turned off.

That way, users will not mistakenly select something other than what they expected. Remember my search where I stopped at anti. Here are the results if I type in antivirus completely:

Next, the major web browsers have black-list applications that should be of some help. Internet Explorer uses SmartScreen Filter, while Firefox and Chrome use Google Safe Browsing. Still, we need to remember that black lists are reactionary and will not flag new malicious domain names until they are reported.

Final thoughts

Being able to detect bogus links that send us to malicious web sites is a problem that does not have a real solution. It seems once again, making users aware of Blackhat SEO and how it could benefit from Google Instant is the best that we can do.

Have you run across Blackhat SEO in your surfing?

About

Information is my field...Writing is my passion...Coupling the two is my mission.

63 comments
mehra10al
mehra10al

I have found many sites, which have used black hat techniques but still on top position, but i have seen, if google see that kind of sites, it penalize these sites. Thanks to Google. SEO Training in Delhi

lwa83
lwa83

very interesting. didn't know that, opens up a whole of things clever black hatters can do with google

ndveitch
ndveitch

I have to ask if anyone uses AVG anti-virus. I haven't used it myself in a couple of months but I remember seeing a nice little tool that they had added to version 9 that added a green tick next to sites that they rated were safe. When I first saw it I thought it must be a scam cause all the sites had a green tick next to it, until the one day I saw one that had a red cross next to it. So trying my luck I tried to access that site and it popped up all kinds of warning messages. As I said earlier, I haven't used AVG myself in a few months so I'm not to sure if that feature is still working but it seemed like a good effort in safe browsing. Anyway, just thought i would throw that in.

dan.latter
dan.latter

Its like we ( the users ) are Googles new bottleneck! its like there saying: "come on..., we already know what you want, just type faster!!"

seanferd
seanferd

Like http://www.blackhat.com/ , because of the capitalization. I admit I was confused until I used the About.com link. Which was odd, because, on the whole, I already know what black hat SEO is. In fact, you can still find old-style black hat SEO where keywords are stuffed in the keyword section of the HTML page, which is largely now ignored by robots due to this very abuse, but the keywords show up in the sample text. :^0 Funny thing is (OK, not really funny), that non-malicious SEO of the same type is prevalent. If legitimate (just desperate, not malware/phish serving) sites would stop this practice, it would be easier to separate the bad sites out. Too much "optimization" = ignored.

gri
gri

I love the new Google instant... and if people are not smart to differentiate a fake, low end website from a full content, real website then they deserve to be taken advantage until they stop and READ what is going on their computers! I use antivirus and common sense, if a message pop up saying "to you want to install 'something'? it's FREE!" I stop and read it, 99.9% of times I just click "NO". I get frustrated when we stop progress for mediocrity, stupidity or just "we are not ready for it"... if you don't know how to use it, don't!

Tonibarge
Tonibarge

Hi, aren't you mixing AutoComplete feature with Google Instant ? Instant is about showing RESULTS while typing the words for the search, autocomplete is about proposing QUERIES based on the first letters you typed. Regards

santeewelding
santeewelding

As an article of faith, Michael, that you employ a great deal of "behind" stuff in your writing. Also, that the "stuff" is every bit as devious as what the bad guys do behind the scene. What you do, though, you do for well, sitting long hours at the keyboard doing it. I can only hope the bad guys, as a result of their long hours scheming and working for ill, come away for their obsession with a king-size case of hemorrhoids, while you profit.

lyates99
lyates99

"...black lists are reactionary". I believe this word has been misused here

Jack Flash
Jack Flash

Hey Michael, Nice catch! I guess "Instant" will go through it own maturity cycle through Google, Youtube, iTunes and others, including solutions (not perfect ones :-) ) for issues such as you had raised. I do feel there is an increasing need for better secure "marking" of search results...similar to the certificate web sites have...(not perfect but still better than nothing...) That's a food for thought for sure! Yours, Jack. IT Professional - You are not alone any more... http://itprofessional-mastermind.com/blog

Michael Kassner
Michael Kassner

Any way to get an upper hand is usually the avenue bad guys will take.

Michael Kassner
Michael Kassner

I personally use MS Security Essentials. What web browser do you use? Firefox and others have extensions that do the same thing. Check out WoT: http://www.mywot.com/

bboyd
bboyd

No really if I'm looking up "Traveller" for a science fiction RPG I don't want "traveler" spelled sites.

seanferd
seanferd

And probably, the truth is that Google (not to mention others) may actually have a very good idea of what you, as an individual, are looking for. Unfortunately, they do seem to be serving up attack site links, which I am quite sure no one is looking for. Perhaps they could use their extensive user tracking and profiling capabilities to include a "does not want rootkit" filter for the personalized results. Really, Google needs to get back to its supposedly revolutionary roots (fat chance) and actually provide better search results through better crawling and analysis. We really don't need the ten-thousandth new way to display the data.

Michael Kassner
Michael Kassner

In less than 30 words, you may have united the differing opinions expressed by the experts.

Michael Kassner
Michael Kassner

Did not mean to confuse. Yet, I did, so I failed. What you refer to is the Blackhat SEO of old. The new and improved Blackhat SEO is focused on advancing malicious web sites, with a focus on malicious.

seanferd
seanferd

Better get on that, in keeping with your philosophy.

Michael Kassner
Michael Kassner

The malware is automatically downloaded, leveraging a vulnerability. Just to be fair ask around how many know that antivir solution pro is malware. I was surprised.

Michael Kassner
Michael Kassner

But that is what Google tells you to do. If you change it to: "Do not provide query predictions in the search box." It acts completely different. It was the only switch that I found related to the search. If you have alternative information, I would appreciate learning about it. Thanks for asking.

seanferd
seanferd

Makes perfect sense to me. In the sense of "characterized by reaction". Not in the political sense, which may be older per common usage, but is far more narrow. Contrast with the epically horrible word "proactive".

Michael Kassner
Michael Kassner

Of, pertaining to, marked by, or favoring reaction. My intent was to point out that black lists are not proactive.

Michael Kassner
Michael Kassner

I hope so as well. I am more concerned about how they are going to resolve the Blackhat SEO issue. Otherwise search engines are not going to be trusted.

pgit
pgit

I recently dropped loading AVG for the 'freeloader' clients (who refuse to pay for security software) and now install security essentials for them. I suspect it does a bit more to the underlying system than a Norton or Avast etc would, not always for the better, either. (just a gut feeling) In fact I have the sense that I just "gave up" and went with MS. People wouldn't update their free AV/AM(alware) often enough, for one thing. Going with MS they can roll the updates into regular windows updates, pretty much guaranteeing they will keep up with emerging mayhem. I do know MSSE is pretty good at what it's supposed to do, but the switch was more about other apps getting too much in the way of the user and noticeably bogging things down. And of course that user would fail to update, get crapped up and come to me with the complaint that I was responsible because I put AVG on there and it was "no good" in their esteem. :\ I'm interested in how it is you consider MSSE to be the go to for anti-mayhem duty. My guess would be it's effectiveness on the job compared to other options...

seanferd
seanferd

as I read, rather than afterward, these things are more obvious. But just like C&C dashboards, I'm sure there are apps or SAS which do SEO, created and used by those with malign intent. So I entertained the idea of such an item with the moniker "Black Hat SEO". This was not a serious problem of confusion, FYI. I just had a slightly different idea of one possible meaning that was instantly corrected. It's all good. Yes, SEO was simpler, back in the day, malicious or not. Personally, though, I find the extent of legitimate SEO as an industry to be just a bit on the evil side anyway, like the marketing and advertising industries. They stretch "ethical" just a bit too far. I've seen Blackhat SEO for a while now, in the sense of your article. I haven't seen the concept crystallized and noted as a phenomenon, though. Thanks for that.

dazzlin_dazz
dazzlin_dazz

are confusing Google instant with auto complete. With google instant, there are new settings "Use Google Instant - predictions and results appear while typing" "Do not use Google Instant" Google Instant runs hand in hand with predictions, but is infact different. I get Google Instant when I use Google Crome browser, but not when I use IE7/IE8 or Firefox, so maybe it is only 'live' for Chrome users. What actually happens is you open the browser and the Google home page shows as normal, but the second you start typing in the search bar, you are taken straight to the results page. As you type, you get instant results below as well as predictions. I hope that helps

QAonCall
QAonCall

We trust serch engines to begin with? ;) The problem is partially users being immature as well, clickig forst result, not paying attention etc. I am sure a clever lawyer will figure this out though! lol

Jack Flash
Jack Flash

The more the problem is sophisticated, the better chances exist for one to create a helpful solution for all of us, and a fortune for himself :-) Yours, Jack. IT Professional, You are not alone anymore http://itprofessional-mastermind.com/blog

pgit
pgit

I was going on comparisons of free AV/AM products I've read recently, SE rated second highest on average. There are a number of categories these reviews cover, so average really isn't the best measure. A product may rate well above all others in one category, average in most others but have one rating on the bottom, and still end up "best" on average. Given the ratings and the mix of factors I deemed important, going with MSSE was an easy choice. I still have a nagging feeling it's somehow "plugged in" closer to home somehow. Whatever. As long as the folks can get their work done and avoid infection they're happy. BTW evidence keeps coming in from my clients that Norton seems to have hit a home run with their latest offering. I keep hearing they've really minimized the performance degradation, folks are telling me the same systems are noticeably more responsive since the last upgrade. (just got off the phone with another "satisfied [Norton] customer") Not sure how effective Norton is though... so I'm off to research this and find out. =) PS if you could squeeze a little info out of your MVP compatriot vis "utiliz(ing) the security features in the 64 bit version" please do let us in on it. I can't imagine what advantage there would be to 64 bit code in the given tasks, but I would bet there is one.. or three.

Michael Kassner
Michael Kassner

My reasoning came from the fact that I have a friend who is a MVP. She is impressed that SE was one of the few AV programs that utilized the security features in the 64 bit version.

HAL 9000
HAL 9000

Do you really trust M$ that much to get it right. Sure on the surface of things they are the only ones who have a True Understanding of the way that the OS works. But do you really believe that the Source Code for Windows is made available to all sections of the company? For that matter do you really believe that SE was written twice once for 32 and once for 64 Bit Operation? Sorry but with M$ they have different divisions who are only told what they need to know so from that prospective they are most likely no better than the outside companies who supply the same thing but with less experienced programmers and tighter time frames to make something work. ;) Col

Michael Kassner
Michael Kassner

I run Win 7 64 bit and MS Security Essentials is one of the few that leverages all the advantages of 64 bit. I agree with you, who better than MS to understand their systems and how to protect them.

Michael Kassner
Michael Kassner

It seems to me that when Mr. Schmidt was added to the mix, the mission statement changed radically.

seanferd
seanferd

Sometimes I wonder if there are any metrics on the potential for such Internet Presences fouling their own environment. Sometimes it is money, sometimes it is someone's vision. Sometimes, I'm not sure what drives the development of some features. I suppose a lot of things boil down to just money. In recognizing my own cynicism, sometimes I overcompensate, and extend the benefit of the doubt too far. Truth be told, I really didn't even bother to consider the underlying motivation for anything discussed here. Odd, that.

Michael Kassner
Michael Kassner

What I am saying is that what I wrote about in the article is the way Google tells you to disable Instant.

symform
symform

Google Instant is the new feature which displays actual results on the page as you type. Watch this video to see it in action: http://www.youtube.com/watch?v=ElubRNRIUg4 Predictive text is the feature that autocompletes common search queries in the search box as you type. This feature has been around for a number of years. The two work together but are two separate features.

Michael Kassner
Michael Kassner

This is what I found on the Google Instant web page: Q: Can I turn off Google Instant? A: If you don't want to see results as you type, you can turn off Google Instant by clicking the link next to the search box on any search results page, or by visiting your Preferences page. I went to the preference page and making the change I did stopped Instant. I do not see what you are referring to. Could you please explain in more detail. Thanks.

seanferd
seanferd

"proactive"? :p Seriously, though, I am just guessing at what the Op may have been after. But I am glad to be of service, if I can find a way.

ultimitloozer
ultimitloozer

Michael, If you are using the WOT plugin whether in Firefox or IE, you are already using Google's blacklist as well as around 100 others, so... As far as personal usage, I try to avoid all things Google at all times. I just don't trust them. There are a boatload of options here. But in most cases there's nothing that gets the same results as using the Mark I Eyeball and a couple of brain cells...

Michael Kassner
Michael Kassner

I guess my thoughts about Invincea are that it would mitigate the malware aspect. As for job searching, I suspect that already goes on. I've heard of aggregators that compile Internet data for HR departments.

QAonCall
QAonCall

That a tool will solve a trust problem? I think in general, people are maturing to artificial intelligenece/information accesibility. I think there will continue to be some healthy skepticism, and I predict there will be more in the next generation as they come of age in a time where everything they have ever written has been digitized, sorted and accessible via search engines. I think the current administration has had some glowing examples of bone headed stuff caught on tape/written that gave a glimpse into the future. Wait until search engines start selling your search history as part of a job screening process? The current generation will be in a world of hurt.

pgit
pgit

If I hit on a malicious link the only thing that happens is I realize there is no valuable information at that site. I run Linux on my own workstations. =D BTW I hate to admit it, but not a few folks who'd come to me like clockwork to fix windows fessed up to their porn habits being the culprit. I have set a number of them up with dual boot so they can go into Linux for the "dirty work." None of these people have been back to me with a windows problem since, going back almost 3 years now with some of them. Like cookie monster sings; the internet is for porn. It also runs in large part on Linux. If ever there were a marketing hook to popularize Linux, "safe" porn would have to be it. Why more people don't think of this is beyond me. I'm personally not into any kind of porn, btw. I get the happy bunny, unicorn and butterflies here: http://www.didyouwatchporn.com/#

Michael Kassner
Michael Kassner

I like the freedom. We just have to figure out ways to stay safe.

Michael Kassner
Michael Kassner

Why not use Google's black list as well? I think WoT does.

QAonCall
QAonCall

be weary in general. Of course I use search engines, no one wants to remember a 300-500 character long url to find something. That said, know when to go to sites that that are suspect, and when not. Use sites you know, recognize and trust. Use anonymous browser. Have a limited access account (guest) for use when you are doing a lot of research/searching. All of these are things that can be part of a larger strategy of risk mitigation. Really though, I think teaching people to search better (better key work use, more keywords in your search) that would help a lot. Example: Search for: Virus Virus removal Virus removal infected Virus removal infected windows Virus removal infected windows spyware Viros removal infected windows spyware microsoft The last will most certainly refer a MS site to the top three listings (I did not try the search, but I am guessing it should, by adding a preferred trusted site/company to the end to allow me to target my search) I could have just as easily added TechRepublic. This type of searching forces the search engine to return the results you seek, without allowing them to: 1) Send their preferred accounts to you 2) Mitigating the chance for Black Hat SEO to return a bogus set of sites by flooding the result sets 3) It makes you a better search agent, and saves time ultimately. I tell my GF all the time, google designed their search engine for woman (no offense) but in general, woman are shoppers, and google is all about the shopping of information and selling from it. Men are generally hunters, we know what we want, and we go to it directly. Please do not digress on the analogy, it is not to offend, it is simply to illustrate, I used the work general on purpose. MHO on the search engine issues.

seanferd
seanferd

Basically, I'm already prepared to wander dark places. Really seeing if a link is OK sort of takes place after the fact, doesn't it? I mean, what happens when a popular legitimate site is compromised temporarily to serve evil? Generally, though, bad search results "look bad" to me. Whether they are just links to awful sites (uninformative, junk, scrapes of other sites, whatever), just off-target, or evil sites, this is rather more often than not reflected in the result sample text, and the in URL itself. Then there are the ever-popular site-checker mechanisms like Mcafee, WOT, etc. Which I generally don't use, but others swear by. Then, there is going to the site sandboxed, or from a VM, or whatever. But normally, I find that not allowing scripts to run works rather well. I am also conservative about browser settings regarding what is allowed to be altered by javascript. Change a context menu? I think not. But turn the whole thing on its head: I absolutely trust the internet to allow something to try and attack me. It is an open internet, and I don't want it any other way. If I have to wear armor, or suffer a "lack of richness" of the web experience, or possibly rebuild my castle, so be it. This does nothing for the average appliance-minded consumer, I grant you. And I have no answers for them that fit their type of internet lifestyle. It is like the average phish attempt - terribly obvious to me, but others will merrily submit financial information to a fake paypal page (in French, no less) on a site where no such thing belongs, and no product to purchase in sight. How do you help people like that? The one's who refuse to learn or accept any advice? This has been a bit of a ramble, so let me know if I haven't actually addressed the nub of your gist, as it were.

santeewelding
santeewelding

They are not compromised, as well. I wouldn't trust my departed mother in all this, much less any program, protocol, or gizmo.

ultimitloozer
ultimitloozer

In most cases, just looking at the URL gives enough information to make a trust decision. If not, WOT or Symantec's Safe Web may give you more to go on.

Michael Kassner
Michael Kassner

How do you decipher whether a search result is OK or not. This is what I am wrestling with.

seanferd
seanferd

For instance, I do not trust organizations like Network Solutions and Verisign (with their sweet, gifted monopolies). Or my ISP. Yet, I have not unplugged and canceled service. You just have to operate like you do not trust anything - check, verify, etc. Or, operate like you trust everything, even if you don't, but also be prepared to deal with the possible negative consequences. Of course, everything is marketed to consumers as if everything is trustworthy, and as if every connected device is an appliance. This is a lie, and I'm surprised that after 20 or so years, people still don't get this. (OK, no, I'm not really surprised.)

Michael Kassner
Michael Kassner

You never use a search engine? If so that is amazing. I would be lost. My goal is to try and help the millions like me that do. I am fortunate as I know about the issue, there are those that do not. So, please help me spread the word.

Michael Kassner
Michael Kassner

Please let me know. I have searched the forum and can't find anything recent, except my 10 thing article.

RTHJr
RTHJr

...but there was another article that went into why WOT is a good defense against spoofed web site certificates that especially were using MD5. I believe one of your cohorts wrote it but I cannot find it.

RTHJr
RTHJr

This might go well with a follow-up article on the FireFox WOT: Web of Trust add-on. I know there was a WOT article done last year or so on why that is better against SSL certificate spoofing attacks. I think it would be great to expound how such a tool could help as a blended method of steering clear of malicious web sites in lieu of the Google Instant tool.

Editor's Picks