Unmasking a Halloween-themed SEO/SEP Network
Last Fall, as I was doing an in-depth look at Search Engine Poisoning (SEP) attacks, one of the categories that showed up pretty consistently was "holiday themed" SEP.
And just in time for Halloween, this week I came across a good-sized network of Halloween-themed SEP sites...
Even though Halloween is still 3 weeks away, people are already searching for "killer" (pun intended) costume ideas. Here are some examples of their searches that led them into this network:
professor quirrell costumes
honduras national costume for kids
famous trios halloween costumes
ike and tina turner halloween costumes
gilligans island costume the professor
homemade sonny and cher costume
And my personal favorite:
infants flying monkey costume
(which would have been a fun idea -- back when I had infants -- if my wife would have let me do it...)
Anyway, these and many other Halloween-related terms are being typed into Google and Bing, and people are clicking links leading to sites with names like costume8sr6.in and halloweenarxf.in,* (and many others!) that live on a large number of IP addresses. These domains tend to be over a year old, meaning they've been carefully cultivating a trusted (or at least non-malicious) reputation with the search engines for a long time.
The good news is that this particular SEP network does not seem to be leading into malware. Rather, the clicks lead into what I would characterize as "shady traffic" networks, driving traffic to networks of affiliate sites, for ad- and click-fraud types of activities.
Or maybe I just didn't dig deeply enough. I stopped at this layer, since all of the sites I saw were already rated as Suspicious in our database.
* One of the "search engine safety tips" I tell people is to avoid clicking links to top level domains like ".in" (India) and ".ru" (Russia) in search engine results for topics that have no real relevance to those countries. It's particularly good advice for American holidays like Halloween and Thanksgiving (which is also starting to show up in searches leading into this network, by the way)...