Tracking a Big Search Engine Poisoning Network
One nice thing about having lots of traffic flowing through WebPulse, and having lots of modules watching for malicious and suspicious activity, is that it's always easy to find an interesting topic for the blog. (The tricky part is finding time to follow a lead, do the background research, and write the blog post. I still don't have an automated system for that...)
It's been a while since I've just randomly picked a Bad Guy's site out of the traffic, and then researched the story behind the operation. It's also been a while since I've touched on Search Engine Poisoning, and it just so happens that the first interesting site I pulled out of the logs yesterday led into an SEP network, so let's go with that one.
The site that caught my eye was a subdomain on dnspro.eu. Given the "dns" part of the name, I was expecting to see that the Bad Guys were once again abusing a Dynamic DNS hosting service, or had even set up one of their own. And sure enough, a quick look back in the logs showed nearly 40 different subdomains (none of them with realistic names), on as many different IP addresses.
dnspro.eu has no main site, and the domain was only registered about a week ago, which is further evidence that it's not being used for legitimate purposes.
The subdomain that had originally caught my eye, mof.dnspro.eu, had been automatically flagged in WebPulse as suspicious, since it was a new domain on a server that is part of an SEP network that we've been tracking for four months.
Here's a sample page from the site:
The page is clearly not designed for human viewing, but to fool the search engines. Notice the highlighted title of this page -- it was clearly created to target anyone who might be searching for "samples of 5th grade class president speeches" (one of our users apparently was!)... It also contains links to various other obscure searches, like "great cover letter for vice principal" which I also highlighted, since sample letters was a recurring theme that turned up in last year's research into common SEP topics.
For comparison with the above sample, here's a sibling site, showing a much different layout:
As the highlights show, this page repeated its title text in at least four other places. It also tried to show some structure in the "posts", although since they're built with chunks of random text, I suspect that this was also designed more to fool the search engines than to be viewed by a human visitor.
mof.dnspro.eu is just one member of a very extensive SEP network. (By my count, there are at least six separate sub-networks, each using multiple IP addresses -- nearly 500 of them over the last several months.) The full network has used hundreds of domain names in just the past week, and is averaging nearly a thousand hits a day in the WebPulse logs.