Public Safety Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links | Liens de navigation communs

Skip Navigation Links Home > Programs > Response > CCIRC > Analytical releases 2010 > IN10-001: Cyber Security Awareness: SEO Poisoning using Olympic Themes

Institutional links

Cyber Security Awareness: SEO Poisoning using Olympic Themes

Number: IN10-001
Date: 26 February 2010

Purpose

The purpose of this information note is to promote user awareness of a technique called Search Engine Optimization (SEO) poisoning. This technique is being used in recent internet search queries on the 2010 Vancouver Olympics.

Assessment

What is SEO Poisoning?

Search Engine Optimization (SEO) is a method of improving and increasing the traffic to particular websites from various internet search engines (ie: Google). SEO takes advantage of popular search terms entered on internet search engines, and organizes responses to queries to point users to particular results. SEO Poisoning involves the same technique, but it manipulates the search engine in redirecting queries to malicious sites hosting malware. Susceptible websites are commonly exploited though various infection methods such as cross site scripting, cross server scripting, and IFrame injection attacks.

How is SEO Poisoning using the popularity of the Olympics to distribute malware?

The nature of SEO Poisoning is through the use of common and popular internet search queries. Once a malicious website is developed, the developers use SEO to promote the malicious website, resulting in the malicious website link to be near the top of the search results. The developers often utilize geo-political events, which are popular search queries, as the lure. For example, the following combinations of search engine queries may produce redirections to malicious websites:

Mens + hockey + schedule
luge + crash + video
Vancouver + 2010 + closing ceremonies

The SEO poisioning results appear to only work with English keyword searches.

The Vancouver Olympics are being targeted due to the fact they are one of the more popular news items of the past two weeks, and therefore, produce a high number of search engine queries. However, the threat of SEO Poisoning is not unique to the 2010 Vancouver Games.

Impact

The impact of falling victim of SEO Poisoning is usually the installation of malicious software on the computer visiting the site. A popular infection result from recent occurrences of this type of malcode installation is a user being prompted to install free antivirus software on their system. After agreeing to the installation, the malicious software is installed, and the user's machine is infected. Although this is a popular method of infection, the visiting user is susceptible to any type of malicious content that may be present on the infected site.

Suggested Action

CCIRC recommends the following SEO Poisoning mitigation:

1. User Awareness

Users should always be wary of any link they follow from search engines. This entails visually inspecting the actual link you are being directed to follow. For example, if you are directed to visit a site on the Vancouver 2010 closing ceremonies, you should visually inspect the link to which you are being directed. A site that begins with www<dot>malicious-site<dot>com should not be trusted. However, the validity of the site to which the user is being directed will depend on the perpetrator of the poisoning. The malware writer may use a site that appears suspicious, or may register a site that closely resembles the nature of the search term.  Users should therefore limit themselves to known trusted sites.

2. Website Filtering

Departmental network security teams are encouraged to keep their website filtering of malicious sites current.  Although this is an effective method of prevention, websites used in in this way are constantly changing, requiring constant updating of departmental website filtering systems.

3. Antivirus and System patches

Departments and users are reminded of the importance of keeping their antivirus solutions and system patches updated.  Once directed to the malicious site, a user's machine has to be susceptible to the malicious software present on the rogue site. If proper antivirus and system patches are present on the machine, the user has a significantly lower possibility of becoming infected.  Patches however will not be effective against new malware variants that are unknown and undetected by anti-virus vendors.

The most effective method of protection is a combination of all methods mentioned above.

References

The following websites contain additional information and mitigation techniques related to SEO Poisoning:

http://www.sophos.com/blogs/sophoslabs/
http://www.f-secure.com/weblog/archives/00001891.html
http://securitylabs.websense.com/content/Alerts/3561.aspx
http://en.wikipedia.org/wiki/Search_engine_optimization
http://www.sophos.com/blogs/sophoslabs/v/post/8704

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca

Date Modified: 2010-02-27
Top of Page
Top of Page
Important Notices