A sophisticated campaign using SQL Injection for SEO has been spotted by Akamai’s Threat Research Division, apparently crossing the line from questionable-but-legitimate promotional practices to outright hacking.
SEO is not a ‘70s band, although it is about takin’ care of business. It stands for Search Engine Optimization, the practice of tailoring a web site so that it appears high in the results returned on a search engine query. In an online economy in which eyeballs equal dollars and clicks spell the difference between success and bankruptcy, driving visitors to a web site is crucial. Studies show that the higher a site appears in search results, the more likely it is to capture clicks and eyeballs. If you’re not near the top of the first page, you probably won’t get seen.
The Akamai threat advisory warns that attackers are exploiting SQL Injection vulnerabilities in web applications using Microsoft’s MS-SQL back-end database to insert hypertext links to third party sites. The attacks create chains of external links in an effort to mimic normal web content so that these links will be discovered and indexed by search engines crawling the Internet. Because the number and reputation of links that redirect to a given site influence the site’s ranking in search results, these injected links can boost a site’s visibility.
The ongoing campaign was identified in the third quarter of last year, promoting a Web site containing “cheating and infidelity” stories. Researchers observed attacks on more than 3,800 sites with 348 unique IP addresses participating. The IP addresses are clustered in the United States and Western Europe.
All of this raises a couple of questions. The first question, of course, is why are people searching for or interested in reading stories of infidelity? If you are looking for titillation, it seems there is enough erotica and outright porn on the Internet to satisfy even the most jaded tastes. If you are looking for a racy romance story, the racks at the drug store are full of novels. But this is a question of human nature and beyond my ability to explain.
The second question is where to draw the line between permissible and appropriate SEO techniques, and inappropriate and even illegal activities?
In theory there is nothing wrong with SEO. Google has published a guide to Search Engine Optimization that includes best practices to “make it easier for search engines to crawl, index and understand your content.” The search engine giant advises site designers to first and foremost should do “what’s best for the visitors to your site.” In other words, SEO essentially is good web design.
Beyond this we get into questionable areas in which searches are manipulated, using techniques such as hidden text that is used in indexing but is not part of a site’s content from a user’s point of view. It can include the artful use of real content to boost rankings while not adding to the site’s value, which can leave the visitor feeling cheated. There are many techniques that push the boundaries, but it is safe to say that using SQL Injection to compromise third-party sites clearly crosses the line between inappropriate to downright illegal.
The attacks described by Akamai are not new but they are being put to an interesting new use. To protect your web sites from this kind of abuse Akamai recommends basic best practices for preventing and defending against SQL Injection.
If you are interested in driving traffic to your web site, concentrate on providing good products and content and good design. This might be more effort up front, but the results are likely to be longer lasting.