Security researchers have discovered a long-running, multi-vector black hat search engine optimisation (SEO) campaign that shows that cyber criminals are organised and professional.

The campaign – started before November 2015 and discovered in March 2016 – uses automated botnet-based attacks to compromise legitimate websites to boost the rankings of cyber criminals’ customer websites.

Black hat SEO methods typically exploit weaknesses in web infrastructure to promote the visibility and popularity of clients' websites by tricking search engine rankings.

The campaign – which is still believed to be active – is detailed in the latest Hacker Intelligence Report released at Infosecurity Europe 2016 in London by security firm Imperva.

“This campaign shows cyber crime is a serious and organised professional business that makes use of botnets, link farms and distributed, co-ordinated activities to provide SEO services to paying customers,” said Amichai Shulman, chief technology officer at Imperva.

“If organisations want to fight cyber crime, they need to get serious and they need to get professional about it – because their adversaries are professional and very serious about their industry,” he told Computer Weekly.

Researchers at the Imperva Defense Center discovered the cyber criminal SEO campaign after noticing Imperva’s systems were detecting and blocking attempts to compromise customer sites.

They found that thousands of websites had been targeted by botnet-driven SQL injection, HTML injection, cross-site scripting (XSS) and comment spam attacks to promote mainly illegal web commerce sites.

Read more about web application security CISOs are becoming more concerned about web application security, but there is still a long way to go, says Owasp.

Expert Michael Cobb discusses numerous open-source and low-cost web application security testing options for enterprises on a budget.

Does a web application security assessment termed 'compliance-ready' seem too good to be true? Learn its role in an enterprise compliance programme.

Nearly half of all web application cyber attack campaigns target retail applications, shows a study from security firm Imperva.

Hackers exploit botnets for SEO While studying the black hat SEO campaign for a month, Imperva researchers saw more than 700 internet protocol (IP) addresses used by botnets to launch automated SQL injection and HTML link injection attacks, with over 800,000 malicious HTTP requests recorded. The research showed that hackers are exploiting thousands of websites to illegally optimise and promote porn sites and online pharmacies, and that the use of automated tools was not sporadic use by an individual, but a well-run outfit at work with plenty of infrastructure in place. In SEO, one of the significant parameters of the ranking algorithm is how many sites contain links to the website, and how highly those sites are ranked. By targeting legitimate websites and injecting links into web pages invisible to visitors – but visible to search engines indexing the pages – the cyber criminals boost the search engine rankings of their customers’ sites. The researchers found that, while some of the links referenced the promoted sites directly, others referenced “link farms”. A link farm is a set of web pages – such as blog posts – created with the sole aim of linking to a target page in an attempt to improve the search engine ranking of that page. Over a relatively short period the promoted sites gain high ranking on the target keywords, causing them to appear among the top results when searched online.