Blue Coat Labs

Labs Blog

Latest SEP (Search Engine Poisoning) Research, Part 5

Share this: 

Latest SEP (Search Engine Poisoning) Research, Part 5

Chris Larsen

[This is part five of a series of blog posts providing some of the backstory for my RSA presentation on Search Engine Poisoning. There was a lot of material that simply wouldn't fit into 45 minutes...]



Probably the single most interesting part of the chart in Part 4 was the "Celebrity" SEP category. Just 2.7%??? Don't we all know that the Bad Guys love to target people searching for celebrity content? The security industry sure likes to get press coverage for these attacks!

(In fact, when I got my RSA welcome-packet, as I was flipping through the materials, I noticed a blurb from another company about celebrity SEP attacks: "The Top Five most dangerous celebrities to search for that year were....")

So it's definitely worth a closer look at what the data is really saying:

- First, keep in mind that the "2.7%" is not claiming to be the overall percentage of searches that target celebrity content. It's the percentage of all "searches-that-led-to-an-SEP-attack" where the initial search terms were about a celebrity.

- Next, the "celebrities" whose names showed up in the SEP logs were not people that you've probably ever heard of. (Say what?) I mean, I didn't know who most of them were -- I had to google them. (And if the results of that search showed that the person was in fact a "celebrity" because they were a porn star, then it wasn't a Celebrity search, it was a Porn search, and was counted accordingly.)

- Typically, these people were (female) personalities of obscure cable TV shows, or news anchors and reporters from TV stations in various American cities, with a few book authors mixed in.

- That's not to say that "A-list" celebrity names never showed up in the SEP logs, of course. It's just that, when they did, their names were nearly always accompanied by one or more porn terms. (So again, these searches were not counted in the Celebrity bucket, but in the Porn bucket.)



The only explanation I can think of that makes sense for the disparity between these results and the common perception that the Bad Guys like to target celebrity-searchers is the "clutter factor". In other words, there are simply so many legitimate sites with lots of celebrity content (and the search engines know and trust those sites), that it's hard for the SEP gangs to consistently get pages into the top results where people might actually see them.

To illustrate the clutter factor, I'll summarize an internal blog post from last Summer, about a supposed celebrity-themed SEP attack:

- According to a story from one of our competitors, the attack was targeting people searching for "shia labeouf" content.

pic of Shia

- However, when I checked in Google, the hacked site ( was on page five of the results; it really wasn't likely that a lot of people were finding and clicking the link that way.

- The fact that a decent fan site, that's been around for a while, and has a lot of content, showed up this low in the results illustrates the amount of competition for those coveted top slots in the search engine rankings.

- Further, there was zero evidence in this case that the Bad Guys were attempting any SEO whatsoever to push this hacked site higher in the rankings. They were just opportunistically taking advantage of whatever normal traffic happened to come its way (and there wasn't much). So, zero SEO == not an SEP attack. (In fact, most of the handful of visitors to the site actually came via links on Twitter...)


I suppose that if the research methodology were simpler, say, take a celeb name, search, and go down through multiple pages, looking for ANY shady-looking link, you could find "SEP attacks" on that celebrity. But focusing on actual (non-porn) SEP attacks, where people actually clicked an SEP link that they found because it was high in the results, tells a different story...