Over the last several days I've been digging into the Black Hat SEO world... and some of the techniques that the dark side likes to employ to draw clicks and eyeballs to their sites. Whether they're serving up an online pharmacy selling Tramadol or Viagra, or performing drive-by malware installations or even pushing fake video codec malware through porn downloads... this is a big business that makes many times the money many of us make in our day-jobs.
In the final analysis... all of these techniques depend on poorly written code on the site that's being abused. Site that use injectable CMSes (via content injection such as SQLi or other techniques) are the biggest target since you can rather easily fingerprint the CMS and then google its fingerprint ... then write a quick automated script that'll crank out injections all day long. Here's one perfect example on Weblocal.ca, which appears to be using Movable Type CMS (follow this link [http:||www.weblocal.ca/user/224gxft] at your own risk, NoScript recommended).
What's interesting is that this is a user-content driven site, which has a pretty good page-rank [Ranked PR6] according to PRChecker.info. What this means is that Google's magic search engine formula is more likely to index this page and thereby bring users to a page like this... with the redirect. As you can see, the redirect goes to a Russian site (shocking that the Russians would be involved in organized exploitation like this... no, really); which if you do a little simple digging - has a huge presence in the Interwebs. Check this out, a Google of the link (http:||upop.ru_/in.cgi?7¶meter=Tramadol) brings up a mountain of sites that have been "injected" with this link. While many of these are comment-spam inserts (think X-Rumer ... from my previous post), there are plenty of instances where the injection just flat-out fails to launch... but the point remains clear -there are automated scripts out there that are hitting sites with this link.
One such injections, on UrbanMoms.ca [which has a PageRank of 4], is obviously a broken attempt to create a profile which is injected with the page-link... http:||www.urbanmoms.ca/mt/mt-cp.cgi?__mode=view&id=19962&blog_id=52)
At any rate... the problem is obvious. Poorly coded sites that allow HTML links, and other gaping holes in them are fodder for these types of injections. You have to try and rationalize the reason for this type of attack. Are people actually making money off of injecting links into random sites?
The answer is yes... on a mass scale. Per unique visitor on the Tramadol keyword, a spammer is likely to pick up over $1USD. That's per click... the PPC (pay-per-click) for this specific keyword is about $6USD/click. Of course, the source also reveals that this is one of the most difficult keywords to rank (be high up in the Google search results) for... meaning, attract people to. Think about it... a successful injection of a well-ranked, well-trusted site with a high volume of daily traffic can possibly net you well over $1MM USD/month.
The problem doesn't end there. Keep in mind that links like this sometimes also deliver payloads... trojans which drop malware in droves. The economy for this is booming.
With vulnerabilities on the web sites multiplying like bunnies in May, gullible users clicking on fake video codecs, and 0days for a fully-patched Vista/IE8 a-plenty... how does one not make buckets of cash?
Mitigating this "problem"? Let's start with writing more sensible web sites, and maybe getting Google's engine a little more intelligent - but beyond that there isn't much you can do... and that's a sad, sad statement.