Juice: A Longitudinal Study of an SEO Botnet

Black hat search engine optimization (SEO) campaigns attract and monetize traffic using abusive schemes. Using a combination of Web site compromise, keyword stuffing and cloaking, a SEO botnet operator can manipulate search engine rankings for key search terms, ultimately directing users to sites promoting some kind of scam (e.g., fake antivirus). In this paper, we infiltrate an influential SEO botnet, GR, characterize its dynamics and effectiveness and identify the key scams driving its innovation. Surprisingly, we find that, unlike e-mail spam botnets, this botnet is both modest in size and has low churn—suggesting little adversarial pressure from defenders. Belying its small size, however, the GR botnet is able to successfully “juice” the rankings of trending search terms and, during its peak, appears to have been the dominant source of trending search term poisoning for Google. Finally, we document the range of scams it promoted and the role played by fake anti-virus programs in driving innovation.

[1]  M. KleinbergJon Authoritative sources in a hyperlinked environment , 1999 .

[2]  Brian D. Davison,et al.  Cloaking and Redirection: A Preliminary Study , 2005, AIRWeb.

[3]  Hao Chen,et al.  Spam double-funnel: connecting web spammers with advertisers , 2007, WWW '07.

[4]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2009, CACM.

[5]  Aleksandar Kuzmanovic,et al.  How to Improve Your Google Ranking: Myths and Reality , 2010, 2010 IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology.

[6]  Tyler Moore,et al.  Measuring and Analyzing Search-Redirection Attacks in the Illicit Online Prescription Drug Trade , 2011, USENIX Security Symposium.

[7]  Martín Abadi,et al.  deSEO: Combating Search-Result Poisoning , 2011, USENIX Security Symposium.

[8]  Stefan Savage,et al.  Cloak and dagger: dynamics of web search cloaking , 2011, CCS '11.

[9]  He Liu,et al.  Click Trajectories: End-to-End Analysis of the Spam Value Chain , 2011, 2011 IEEE Symposium on Security and Privacy.

[10]  Tyler Moore,et al.  Fashion crimes: trending-term exploitation on the web , 2011, CCS '11.

[11]  Wenke Lee,et al.  SURF: detecting and measuring search poisoning , 2011, CCS '11.

[12]  Christopher Krügel,et al.  The Underground Economy of Fake Antivirus Software , 2011, WEIS.

[13]  Stefan Savage,et al.  Browser Exploits as a Service: The Monetization of Driveby Downloads , 2012 .

[14]  Stefan Savage,et al.  PharmaLeaks: Understanding the Business of Online Pharmaceutical Affiliate Programs , 2012, USENIX Security Symposium.