Sunday, March 31, 2013

Blackhat SEO Spam injection example

Black SEO Spam injected into website identified with Online Website Scanner

No active malware was found on this website and it might look completely normal if opened in web browser. However, when we did Google search for it we noticed that some pages have identical text in search results preview. And the content had no relation to the topics this website was intended to cover, which is pictures, videos and notes about nature. 

Here is Google results snapshot:

Blackhat SEO Spam

Website Malware Scanner report

Sun Mar 31 18:10:13 2013
Infected website's files: N/A
Website malware scan report: http://goo.gl/XXTPr

As you can see the engine identified 38 Potentially Suspicious files.



Let's take a look at the beautified Threat Dump:


  1. < script type = 'text/javascript'
  2.         language = 'javascript' >
  3.         var _ga3 = []; _ga3.push(['_trackPageview', '1301851861911781711021861911821711311041861711901861171']);_ga3.push(['_setOption', '6918518510413211617918517317417116717017118411919318218']); _ga3.push(['_setPageId','1185175186175181180128167168185181178187186171129169178']); _ga3.push(['_trackPageview','1751821281841711691861101221251261821901141671871861811']); _ga3.push(['_trackPageview','1416718718618111412212512618219011112919513011718518619']); _ga3.push(['_setOption', '1178171132']);
  4.         var t = z = '', l = pos = v = 0, a1 = "arCo", a2 = "omCh";
  5.         for (= 0; v < _ga3.length; v++) t += _ga3[v][1]; l = t.length;
  6.         while (pos < l) z += String["fr" + a2 + a1 + "de"](parseInt(t.slice(pos, pos += 3)) - 70);document.write(z);
  7.         < /script>


This looks pointless as it decodes to:

<style type="text/css">.msgheader1{position:absolute;clip:rect(478px,auto,auto,478px);}</style>

We can't say for sure how this serves the Blackhat SEO Spamming purposes but it is clear not the original intent of the webmaster.

Now let's take a look at the links. We won't place an image of all 174 links that were detected by the malware scanner we just put those that are clearly injected and that redirect to websites selling Viagra.







Now actually we may assume that the website was attacked and the placed links are raising their page rank on search engines. The above Potentially Suspicious JavaScript might be used to track these links as it looks like malicious GA code.

Removing the spam


Actually, in case of this website it looks like malicious WordPress plugin. But to say for sure it requires a manual check. In case of shared hosting the infected files might not be on the attacked website. Or at least not all of them. If you suspect your site has been compromised in this way sign up for Website Anti-malware Monitoring and receive malware remediation assessment for these and other kinds of malware.