SQL injection used to manipulate search engine results
Wed 13 Jan 2016
The threat research division of content delivery network provider Akamai has identified a sustained SQL injection campaign which was able to successfully manipulate search engine optimisation (SEO) results.
The threat advisory (PDF) details the defacement of targeted websites that use Microsoft’s MS-SQL database system with the ambit of promoting a line of content regarding internet cheating and infidelity. Though web-pages or sites were indeed visually altered – or even wrecked – by the SQL attack, this was merely the result of the unsophisticated approach of the attackers, and the relative unimportance of concealing their incursions in the long term.
The researchers emphasise that the success of the SQL attacks is not related to any known vulnerability in the MS-SQL system, but that the databases are able to be exploited because of web application development which has not adequately protected its method of input.
Links from high-reputation, high-volume sites are sought after by SEO campaigners, since these will effectively share or donate reputation that was hard-won from search engines such as Google. An attack of this nature that is concerted among a number of sites, and which has such as specific SEO objective, is able to persuade search ranking algorithms that the rogue SEO target has merit in its own right, though the attack vector is more traditionally that of the third-party advertising modules which sites use to monetise themselves.
The Akamai researchers noted the success of the campaign by the metrics provided by Alexa, which maintains a register of domain popularity, and also of the outgoing links which sites provide. In the course of two weeks in the third quarter of 2015, Akamai observed that search results for certain combinations of words such as ‘cheat’ and ‘story’ yielded first place to the web results which the attackers had been seeking to promote.
SQL injections rely on database applications and protocols which have not been properly parametrised (see image above right). If input fields for new entries are not run through adequate checking procedures, multiple entries or misdirected entries can be successfully integrated into the database. In severe cases of poor filtering, entire new tables can be created and the database surrendered to the attackers.
In the case of the SEO/SQL attack in question, the attackers succeed in creating the links to specious web resources by inserting HTML which outputs hidden DIV elements; these may or may not have a visible effect on a website, but rather are intended to be noticed by search engines and to generate traffic via manipulated search results over a particular period of time.
The traditional point of attack for an SQL injection is a query string, such as is produced by a form or other controls which web developers may provide to users or administrators. The developers’ security efforts are usually focused on this obvious point of entry, and the campaign Akamai studied also used other attack vectors, such as manipulation of user-agent and referrers into request headers
Akamai state that the campaign under study is ongoing.