14 DAY TRIAL // A black hat SEO campaign is currently underway, with hackers employing SQL injections to break into websites and contaminate their content with links to adult and pharmaceutical sites.
Security firm Imperva discovered the campaign back in March 2016 and says it tracked it down to as early as November 2015. The company says that crooks used SQL injections to break into at least 700 hosts, where they injected low-quality links inside their HTML code.
The purpose of this is to provide links from reputable sources back to all sorts of shady sites, in a tactic known as SEO spam.
Crooks renting out access to their SEO spam botnet
The company says that crooks are using an automated system to break into these websites, and then update the links with new ones at regular intervals. Imperva presumes the crooks are renting out their botnet to interested parties and are promoting multiple links on each host at the same time.
Each infected site hosts between 9 and 45 spam links, usually hidden from sight, so the website's owner won't notice the infection.
Imperva also mapped the crooks' botnet, which is the network of control points from where they send new orders on what links to feature and promote each day or week.
Almost half of botnet's control hosts are located in the US, followed by Brazil, Germany, France, and the Netherlands. Behind all these, Imperva says there's a master server from where the crook sends all his commands, to be relayed to infected hosts.
85% of all malicious URLs lead to link farms
The company says that in April 2016, it detected over 800,000 malicious HTTP requests addressed at infected hosts, but estimates the real number at over 8 million based on its sample size.
Around 15 percent of all the injected links directly promoted other sites, while the rest were aimed at link farms, a term used to describe intermediary sites that link to the final target.
"This discrepancy makes sense considering the importance of the link farms as an asset that promotes many sites with content directly controlled by the attacker," Imperva's experts explained.
Recently, SEO spam has become a very lucrative business, thanks to the proliferation of easy deployable CMSs, that often remain unpatched, allowing easy access to fully-functional websites.
