We perform an in-depth study of SEO attacks that

spread malware by poisoning search results for popular

queries. Such attacks, although recent, appear to be both

widespread and effective. They compromise legitimate

Web sites and generate a large number of fake pages

targeting trendy keywords. We first dissect one example

attack that affects over 5,000 Web domains and attracts

over 81,000 user visits. Further, we develop de-

SEO, a system that automatically detects these attacks.

Using large datasets with hundreds of billions of URLs,

deSEO successfully identifies multiple malicious SEO

campaigns. In particular, applying the URL signatures

derived from deSEO, we find 36% of sampled searches

to Google and Bing contain at least one malicious link in

the top results at the time of our experiment.

PDF file

In  Usenix Security Symposium

Publisher  USENIX

Details