|C O L U M N S|
Hijinks on the High Seas
November 29, 1999
By ROBERT MOSKOWITZ
Remember when Wile E. Coyote would paint a picture of a road on a canyon wall in hopes of fooling and capturing the Road Runner? If you do, you also probably remember that Wile E.'s plan always failed. But these days, there are some Wile E. Coyotes on the Internet who are trying to do the same to your customers--with much more success.
Welcome to pagejacking, the latest in Internet hijinks. Pagejacking is what happens when Internet surfers think they've selected www.this.com from a search engine, but they end up at www.that.com. The mechanics have nothing to do with any security flaws in HTTP, Web servers or clients. Rather, pagejacking is a sham perpetrated on the search engines, and your Web site is a potential dupe. While you can't take any direct action against pagejacking, once you discover it, you can act before any serious customer-relations damage is done.
The FTC (Federal Trade Commission) has been treating pagejacking as fraud, and a few pagejackers have been stopped. But the FTC can't stem the tide. Much pagejacking is done from overseas servers, and there is some doubt as to whether pagejacking really meets the definition of fraud or falls into the FTC's jurisdiction.
The pagejacking process is trivial. Pagejackers copy an important page from your Web server, build a Web page with all the key metatags and text, then rig the page content and title so that search engines sort their page ahead of yours. It's as simple as that. The attack is uncomplicated and requires no assault against your servers or your DNS entries; pagejackers use your own metatags to defeat you. Although this is not a security problem, security tools can be tuned to root out pagejackers.
With the knowledge that pagejackers use search engines as the hapless barkers bringing in the marks, you can find them in the search engines more easily than your customers can. After all, those metatags are yours--you know what to look for. What you need is a reversed IDT (intrusion-detection tool), and perhaps an EDT (extrusion-detection tool) that will perform automatic searches for your own metatags. This EDT would run your tags and key text against the main search engines nightly, reporting all URLs that sort higher than yours. Some AI (artificial intelligence) might help, but in the end you'll need someone--most likely your Webmaster--to review the report each morning and personally investigate some of the URLs. Because the economic model for most pagejackers is to send the pagejackee to a porno site (pagejackers get a few microcents in return), the investigation must be conducted outside your firewall with protection and alarms. This way, the investigator knows where he or she is going, but does not have to view any objectionable material.
If a pagejacker is found, you can set remedial actions in motion. The FTC may still assist you. The search-engine owner may be willing to help as well, to avoid possibly being considered an accessory to the fraud. A potential and interesting side benefit from this effort is that you'll inevitably see how you rate in the search engines against your competitors. This alone could pay for your effort. If a casual search on retailers shows you instead of them, your site benefits in the long run.
Pagejacking is a real threat to the Internet's usability. If it becomes pervasive, customers will simply stop searching for things. It's unlikely that standard security technologies will provide any relief. It's also difficult to envision any digital signing that is not defraudable, and what browser users ever check out security information? Only your active vigilance can thwart pagejackers. If you're concerned about pagejacking, contact the folks at your intrusion-detection vendor and ask if they can whip up an extrusion detector for you.
Robert Moskowitz is a senior technical director at ICSA. Send your comments on this column to him at firstname.lastname@example.org.