A security expert estimates that around 10,000 legitimate websites were impacted by the campaign.
A security expert estimates that around 10,000 legitimate websites were impacted by the campaign.

A security expert found that several thousand legitimate websites have been compromised to improve the SEO of other web pages – a tactic that could result in targeted sites being demoted or even blacklisted by search engines.

The attack method, called SEO poisoning, was observed by Jay Wind, an Arlington, Va.-based webmaster who manages several non-profit and business sites. In September, he first stumbled across the issue after seeing numerous GoDaddy domains being targeted, but it appears that the longstanding issue is not just limited to GoDaddy sites.

This week, SCMagazine.com ran a Whois search on some of the impacted domains, and found that, in addition to GoDaddy sites, domains hosted by service providers Versaweb and CyrusOne also appeared to be impacted by the attacks, meaning the campaign appears to be a more widespread issue.

In a Monday interview with SCmagazine.com, Wind explained that scammers inserted dozens of links to outside websites in the code of attacked sites, which included pages for law firms (canyonlawoffice[.]com, eganlawoffices[.]com), online retailers (including, easterndistributors[.]us), a Pilates studio (parkview-pilates[.]com), church (www.stjohnchurchnj[.]com), library (www.everettlibrary[.]org) and even a Washington Traffic Defense website (www.washingtontrafficdefense[.]com), among dozens of other web pages.

In recent days, however, it appears that many of the site issues have since been addressed, but Wind believes scammers may have moved on to different sites to manipulate SEO rankings. For the most part, attacked domains did not appear to be high-traffic websites, where frequent website maintenance occurs, Wind added.

In Tuesday email correspondence with SCMagazine.com, a spokeswoman at security firm Websense confirmed that the company has also seen “similarly compromised sites in the last two weeks,” specifically, 15,000 poisoned sites.

In a Tuesday follow up email with SCMagazine.com, Wind said that in 15 minutes, he was able to round up 174 websites, all GoDaddy-hosted web pages, which had fallen victim to the attack. Wind reported the issue to a number of impacted site operators who were “wholly unaware of the problem,” he wrote. As URLs to dozens more attacked sites are linked on compromised pages, he calculated that around 10,000 websites may have been impacted in the SEO poisoning campaign.