A new type of black hat SEO campaign has been uncovered in the last few months by Akamai’s experts, who have observed that an attacker is using SQL injection flaws to deface websites with hidden content, specifically aimed at improving his website’s SEO ranking.
The campaign has targeted around 3,800 different websites, hosted on 348 unique IP addresses, and leverages SQL injection flaws in MS-SQL servers.
Campaign relies on injecting websites with hidden text
According to Akamai, attackers are using the SQL injection flaws to penetrate databases, search for the website’s content, and sneakily insert extra content in various pages.
This content is not left in the open, since both users and the site’s admins might notice it, but it’s hidden with CSS, and only presented to search engine crawlers.
The hidden content contains both keywords and links that help the attacker’s own website gain a better position in search engine rankings for various terms related to “cheating and infidelity.”
On the opposite side, websites that are defaced in this manner lose their search engine rating, being polluted with unrelated or adult-themed content.
database servers targeted
Akamai reports that the first signs of this campaign were detected last July, and later intensified towards the end of the year. Most targeted websites seem to be written in ASP and running on older versions of IIS, Microsoft’s Web server technology, but some PHP-based websites also seemed to have been compromised as well.
Akamai did a poor job of blurring the name of the website that benefited from the black hat SEO campaign, which is storyofcheating[dot]com.
The website has gained such a massive SEO reputation from this campaign that, at the moment of writing this article, after typing “cheating” in Google, the campaign’s website comes up in the first five results, right there next to dictionary definitions and Wikipedia pages.
Akamai details the attack in its latest security report.
An illustration of the black hat SEO campaign