The Continuing .Gov Blackhat SEO Campaign - Part Two

As it's becoming increasing clear that blackhat SEOers are actively experimenting with embedding their content on high pagerank sites, such as .govs, the numerous campaigns, one of which was by the way serving malware, indicate that injection the content through remote file inclussion or remotely exploitable web application vulnerabilities is an emerging trend that deserves to be closely examined. Here are several more currently active blackhat SEO campaigns located at :

- Utah Attorney General’s Office Identity Theft Reporting Information System -
idtheft.utah.gov/pn/modules/pagesetter/pntemplates/plugins - 20, 200 SEO pages

- Mid-Region Council of Governments - mrcog-nm.gov/includes/phpmailer/language - 3, 630 pages

- Readyforwinners e-magazine - readyforwinners.hertscc.gov.uk/templates/2 - 890 SEO pages

- National Homecare Council - homecare.gov.uk/nhcc.nsf/discmainview - 220 SEO pages

- Washington Wing Website - wawg.cap.gov/calendar/editor/themes/simple - 93 SEO pages

- Fauquier County - fauquiercounty.gov/government/departments/procurement - 69 SEO pages

- Wisconsin Department of Military Affairs - dma.wi.gov/mediapublicaffairs - over 1,000 pages embedded with "invisible SEO content" meaning the content is also visible to search engines just like the one in a previous assessment

The number of pages currently hosted at these high pagerank domains is indeed disturbing, but here comes the juicy part in the form of yet another "invisible blackhat SEO" campaign, where outgoing links and SEO content is embedded at the host, but is only visible to web crawlers. Take the Wisconsin Department of Military Affairs's site for instance, where a news item that was posted in 2003, yes five years ago, is still embedded with "invisible blackhat SEO content" in between a fancy javascript obfuscation that once deobfuscated tries to connect to a third-party host feeding it with referring keywords, sort of keywords blackhole for optimizing future SEO campaigns based on increasing or decreasing popularity of specific ones.

Sampling the outgoing links also speaks for itself, take canadianmedsworld.com (217.170.77.162) for instance, and the fact that a great deal of outgoing links also respond to nearby IPs within the scammy ecosystem (217.170.77.*) such as :

canadianpharmacyltd.org
ns1.viagrabestprice.info
ns2.viagrabestprice.info
officialmedicines.us
pharm-shop.net
thecanadianpharmacymeds.com
viagrabestprice.info
viagraforlove.com
xdrugpill.com

This is perhaps the perfect moment to clarify that the appropriate people responsible for auditing and securing these hosts, are already doing their forensics job and are coming up with more data, on how it happened, when it happened, and who could be behind it - an example of threat intell sharing a concept that should be getting more attention than it is for the time being. So far, there haven't been repeated incidents like the malware serving ones I assessed in previous posts, but as it's obvious they're automatically capable of embedding and locally hosting any content, it's only a matter of intentions in this case.