A security expert found that several thousand legitimate websites have been compromised to improve the SEO of other web pages – a tactic that could result in targeted sites being demoted or even blacklisted by search engines.

The attack method, called SEO poisoning, was observed by Jay Wind, an Arlington, Va.-based webmaster who manages several non-profit and business sites. In September, he first stumbled across the issue after seeing numerous GoDaddy domains being targeted, but it appears that the longstanding issue is not just limited to GoDaddy sites.

This week, SCMagazine.com ran a Whois search on some of the impacted domains, and found that, in addition to GoDaddy sites, domains hosted by service providers Versaweb and CyrusOne also appeared to be impacted by the attacks, meaning the campaign appears to be a more widespread issue.

In a Monday interview with SCmagazine.com, Wind explained that scammers inserted dozens of links to outside websites in the code of attacked sites, which included pages for law firms (canyonlawoffice[.]com, eganlawoffices[.]com), online retailers (including, easterndistributors[.]us), a Pilates studio (parkview-pilates[.]com), church (www.stjohnchurchnj[.]com), library (www.everettlibrary[.]org) and even a Washington Traffic Defense website (www.washingtontrafficdefense[.]com), among dozens of other web pages.

In recent days, however, it appears that many of the site issues have since been addressed, but Wind believes scammers may have moved on to different sites to manipulate SEO rankings. For the most part, attacked domains did not appear to be high-traffic websites, where frequent website maintenance occurs, Wind added.

In Tuesday email correspondence with SCMagazine.com, a spokeswoman at security firm Websense confirmed that the company has also seen “similarly compromised sites in the last two weeks,” specifically, 15,000 poisoned sites.

In a Tuesday follow up email with SCMagazine.com, Wind said that in 15 minutes, he was able to round up 174 websites, all GoDaddy-hosted web pages, which had fallen victim to the attack. Wind reported the issue to a number of impacted site operators who were “wholly unaware of the problem,” he wrote. As URLs to dozens more attacked sites are linked on compromised pages, he calculated that around 10,000 websites may have been impacted in the SEO poisoning campaign.

Ilia Kolochenko, CEO of Swiss penetration testing firm High-Tech Bridge, told SCMagazine.com in an interview that the website attacks were most likely the result of compromised admin credentials being leveraged to take control of the websites.

“[Hackers can] get as many credentials together as possible and just sell it,” Kolochenko said, explaining a potential entry point.  He added that it was possible, but less likely, that a domain providers’ customer database was compromised to attack legitimate sites.

On Monday, SCMagazine.com reached out to GoDaddy and a spokesman for the company, Nick Fuller, said that it was investigating the matter.

“I’m having our security team look through this and figure it out,” Fuller said. He added in Tuesday follow up interview, that some of the recently cleaned up pages, may have been the result of GoDaddy’s efforts, once SCMagazine.com notified it of the issue. 

“We try to assist in cleaning up the websites, so some of what you are seeing could be us assisting those customers,” he said.

Back in October, security company Sucuri told SCMagazine.com that it had recently helped a client rid their website of SEO spam, and that SEO poisoning attacks could cause significant issues for legitimate website operators.

At the time, Sucuri CTO Daniel Cid said in an interview that remediation of the issue involved eliminating the bad links, as failing to do so could poison search engine results causing bad sites to be ranked higher than good sites. Furthermore, SEO poisoning risks the brand reputation of impacted parties, potentially resulting in reduced sales and traffic, or even legitimate websites being blacklisted by search engines, he added.

Site operators are advised to update their passwords and analyze logs to determine all possible entry points for an attacker, including vulnerable CMS packages like WordPress or Joomla, Cid said.