Reflected Search Poisoning for Illicit Promotion

As an emerging black hat search engine optimization (SEO) technique, reflected search poisoning (RSP) allows a miscreant to free-ride the reputation of high-ranking websites, poisoning search engines with illicit promotion texts (IPTs) in an efficient and stealthy manner, while avoiding the burden of continuous website compromise as required by traditional promotion infections. However, little is known about the security implications of RSP, e.g., what illicit promotion campaigns are being distributed by RSP, and to what extent regular search users can be exposed to illicit promotion texts distributed by RSP. In this study, we conduct the first security study on RSP-based illicit promotion, which is made possible through an end-to-end methodology for capturing, analyzing, and infiltrating IPTs. As a result, IPTs distributed via RSP are found to be large-scale, continuously growing, and diverse in both illicit categories and natural languages. Particularly, we have identified over 11 million distinct IPTs belonging to 14 different illicit categories, with typical examples including drug trading, data theft, counterfeit goods, and hacking services. Also, the underlying RSP cases have abused tens of thousands of high-ranking websites, as well as extensively poisoning all four popular search engines we studied, especially Google Search and Bing. Furthermore, it is observed that benign search users are being exposed to IPTs at a concerning extent. To facilitate interaction with potential customers (victim search users), miscreants tend to embed various types of contacts in IPTs, especially instant messaging accounts. Further infiltration of these IPT contacts reveals that the underlying illicit campaigns are operated on a large scale. All these findings highlight the negative security implications of IPTs and RSPs, and thus call for more efforts to mitigate RSP-driven illicit promotion.