• United States



Senior Staff Writer

Black Hat SEO campaign powered by SQL Injection

Jan 12, 20164 mins
Application SecurityCybercrimeIT Strategy

Campaign targeted MS-SQL installations to cross-promote a cheater's website

A new threat advisory from Akamai highlights a Black Hat SEO campaign that’s leveraging SQL Injection as a means to generate links to website dedicated to stories about cheating.

The shady SEO campaign can be considered a success too, because the domain benefiting from the inbound links is still the top listing for the primary keywords.

The website behind the campaign, or at least the website that has gained the most from it, wasn’t listed in the Akamai report. Salted Hash did some digging, and it didn’t take long to discover the website in question; storyofcheating[dot]com.

At one point, Akamai says, the Black Hat SEO campaign included more than 3,800 websites and 348 unique IP addresses. Technically, the campaign is more mass defacement than straight-up SEO scam, because the primary focus was SQL Injection.

It’s important to note that those responsible for the defacements were not targeting a vulnerability in MS-SQL or IIS. Instead, they were targeting poorly developed applications that rely on Microsoft’s platform to function.

As long as the targeted application didn’t validate user-supplied input, it could be used to promote the storyofcheating[dot]com website.

Once a vulnerable application was discovered, various content would be added to the database, including all the HTML needed to supply links to storyofcheating[dot]com. The defaced websites would appear normal to those operating it, because the injected content is only visible to search engines.

Most of the added content was junk – filler text with a handful of related keywords and meaningless sentences – but there was enough content to create relevancy. According to one internet traffic monitor, storyofcheating[dot]com didn’t have a solid SEO presence until late November, when this campaign started. Once it took hold, inbound links to the site (and its ranking on Google) skyrocketed. The numbers dropped off in mid-December, followed by a brief spike, and another sharp drop.

On Monday, a day before the Akamai report was to be released, Salted Hash confirmed that a Google search for “cheat story” still returned the desired result for the SEO campaign, as storyofcheating[dot]com was the top link.

Many of the defaced websites were completely unrelated to the topic of infidelity, including websites dedicated to software development, SharePoint, Foosball, Tennis, political marketing, and more.

As mentioned, the SEO campaign targets MS-SQL. The common theme between the defaced domains is WordPress and BlogEngine.NET. However, the core code on those platforms isn’t what’s being targeted. It’s more likely the campaign hinges on vulnerable themes and add-on scripts.

Most of the defacements centered on theme and template folders, and generated an entire set of pages, including RSS feeds for the added content.

Another common theme among the defaced websites was abortion. Many of the defaced websites would link to storyofcheating[dot]com under the pretext of abortion discussions, including abortion pills and chemical abortions, as well as topical discussions such as teen pregnancy.

The point of Akamai’s threat report is that SEO is important to businesses online, and criminals have no problem with taking advantage of existing SEO rankings and reputation to further their schemes.

On the other hand, this type of fraud isn’t limited to businesses, as criminals will target personal websites too.

The standard precautions apply; if you deploy a CMS platform, such as WordPress or BlogEngine.NET, make sure that everything from the server software, core platform software, and add-on modules are kept updated. Monitor your website and server for changes, and investigate anything that seems unusual.

Moreover, it’s possible to use Google to catch added pages by searching your domain and looking at what’s being indexed.

A copy of the Akamai report is available here.