La Piazza

Edited by Iñaki Gorostiza, March 2010

We tend to think of experts in SEO techniques as mystic loners, able to predict trends on Google and position websites through a mysterious power or secret techniques available to just a chosen few.

The reality is quite different; SEO (Search Engine Optimization) is an easily-accessible Web development process anyone can use. In fact, it hardly requires advanced technical knowledge, and its simplicity attracts people from many disciplines. Of course it also attracts hackers, who are interested in anything that can return a fast and easy profit. The figures speak for themselves:

- There are over 1 million malicious pages indexed in Google.

- Over 3 million search results have been hijacked by hackers.

SEO uncovered

Here are the main principles for SEO:

• Get a good title for your website.

• Write the contents with special attention to keyword density.

• Use header tags <H1><H2>… and semantic tags <STRONG> <EM>… to highlight the most relevant sentences and keywords.

• Include descriptive image alts and titles.

• Get backlinks to your website.

There are other secondary elements which will help position your website: Google Site maps, names of files and urls, name and age of the domain, etc.

Positioning your website by following these simple tips is very rewarding. In just a few minutes, you could create a page with your CV and try to position it in Google for searches related to your name or job.

This is what hackers do: they create their websites, position them and wait until unwary visitors fall in the trap. Internet users who get to a website through a search engine, are potentially malleable, as they accessed the website voluntarily, searching for information, products or services. Hackers take advantage of the situation by inviting them to download a movie they were searching for (infected by a Trojan), informing them about a false infection on their computer in order to recommend a fake antivirus, or simply by requesting a donation for earthquake or tsunami victims.

Important: Other “illegitimate” positioning techniques which can be penalized by Google (if detected) are “Black Hat SEO” techniques. These techniques include Cloaking, Spamming Keywords, Hidden Text, Backdoors, Duplicated Content, Link Farms, etc. and allow quick and easy positioning. However, it is important to mention that hackers don’t always use Black Hat SEO and in most cases, their organic positioning is completely “legitimate”.

Not everything is what it seems

The main problem with SEO techniques, whether intended for good purposes or used maliciously by hackers, is that in the case of highly competitive search terms, it is sometimes impossible or very complicated to position a website. Just imagine how difficult it is to position a website using terms like “Buy house”, which returns millions of websites in Google struggling to reach the top positions.

However, you may find the following techniques useful in these cases:

• The first is called “Long Tail SEO” and consists of positioning a highly competitive term, by using terms with less competition. For example, instead of positioning a website by using “Buy house”, you could position it by using terms like “Buy house in Madrid” or “Buy cheap house in Madrid”.

• Another technique consists of taking advantage of Google users’ spelling errors to position your website by using deliberately misspelled keywords. Can you imagine the different ways to write “Britney Spears” a person could come up with? In this case, there are multiple tools such as the Google Adwords Keyword tool which can be helpful.

• Finally, and equally importantly: foresight. When using SEO techniques, you must be ahead of the news in order to narrow down the competition. PandaLabs has observed that minutes after any global catastrophe or disaster, the top Google results correspond to fraudulent pages seeking to profit from the situation.

We will always have Paris

And what can users do against this new threat? They should keep their browsers up-to-date to avoid letting hackers take advantage of any vulnerability in order to infect their computers. Google fights against cyber-crime by penalizing fraudulent pages and warning its users about potentially dangerous websites. There are also browser add-ons such as Web Of Trust, which warn users about fraudulent pages.

However, common sense is once again your main ally. Beware of any website, in the same way you would not trust strangers in the street. Before making a donation, make sure the account number you send the money to belongs to the corresponding entity. Avoid illegitimate downloads and scan all files with your antivirus solution before you install them.

If like the Spanish author Miguel Delibes said, Internet is hell, then I think Google are the gates.

Iñaki Gorostiza works in Panda Security as Web Development Responsable. Since joining the company in 2002, he has taken part in numerous projects, in the Development Area and online promotion. You can contact him on his blog http://www.hellogoogle.com, where he publishes articles that help companies grow on Internet, and at http://twitter.com/hello_google.

Publicado por Iñaki Gorostiza, Marzo 2010

Mantenemos esa ancestral creencia de que un SEO es una especie de gurú solitario capaz de predecir el comportamiento de Google y posicionar cualquier página web gracias a un misterioso don o técnica secreta, sólo al alcance de unos pocos.

La realidad es bien distinta en este caso pues el SEO, o también llamado Optimización para Motores de Búsqueda, es un campo del desarrollo web bastante amigable y accesible para cualquier profano. De hecho, apenas requiere de  conocimientos técnicos avanzados y su sencillez, es un reclamo para muchas personas provinientes de otras áreas, y cómo no, también para los Hackers dispuestos a situar su foco de interés en cualquier campo que les permita conseguir dinero de manera rápida y sencilla. Los números hablan por si mismos:

- Existen más de 1 millón de páginas maliciosas indexadas en Google.

- Existen más de 3 millones de términos de búsqueda secuestrados por Hackers.

El SEO al descubierto

Los principios fundamentales que todo SEO debe conocer son:

1. Para empezar piense en un buen título para su página.
2. Redacte los contenidos de su web prestando especial atención a la densidad en las que aparecen las palabras claves por las que quieres posicionarse.
3. Utilice tags de cabecera <H1><H2>… y tags semánticos <STRONG> <EM>…para destacar las frases y keywords más relevantes.
4. Incluya alts y titles descriptivos en todas sus imágenes.
5. Consigua un buen puñado de backlinks (enlaces) hacia sus páginas.

Además existen muchos otros elementos secundarios que también ayudaran a posicionar una página, véase: Google Site maps, Nomenclatura de archivos y urls, nombre y antigüedad del dominio, etc.

Posicionar una página web siguiendo estos simples complejos es una tarea realmente sencilla y gratificadora. Usted mismo en cuestión de unos pocos minutos podría crear una página con su Currículum Vitae e intentar posicionarla en Google para búsquedas relacionadas con su nombre o con su profesión.

Esto mismo es lo que hacen los Hackers, crean sus páginas webs, las posicionan, y se sientan tranquilamente a esperar a que los incautos visitantes aterricen como las moscas en el panal de rica miel (permítaseme el símil) y caigan presos de patas en él. Los visitantes que llegan a una web a través de un buscador, es un público potencialmente maleable, ya que acudieron a la página por iniciativa propia buscando alguna información, producto o servicio. Los Hackers aprovechan esto para invitarles a descargar la película que buscaban infectada por algún troyano, alertarles sobre una falsa infección de su ordenador y recomendarles un falso antivirus o simplemente solicitarles una generosa donación en favor de las víctimas de algún terremoto o tsunami.

Nota: cabe mencionar que existen otros tipo de técnicas de posicionamiento “no legales” y potencialmente penalizables por Google (si las detecta) denominadas “Black Hat SEO”. Entre ellas se encuentra: el Cloaking, los Spamming Keywords, el Texto Oculto, las Páginas Traseras o Backdors, Contenido Duplicado, las Granjas de Enlaces o Link Farms, etc. Son técnicas que permiten un posicionamiento rápido y sencillo, sin embargo es importante recalcar que los Hackers no siempre tienen necesidad de recurrir al Black Hat SEO y en la mayoría de las ocasiones su posicionamiento orgánico es absolutamente “legal”.

No es oro todo lo que reluce

El principal problema con el que se encuentra tanto un SEO honrado como el Hacker reconvertido en SEO, es que posicionar una página web para términos de búsqueda competitivos es una tarea harto complicada y en ocasiones inalcanzable. Imagínese el lector lo complicado que puede llegar a ser posicionar una web para términos como “Comprar casa”, bastaría con hacer la consulta a Google para comprobar que existen más de seis millones de páginas en dura pugna por alzarse con las primeras posiciones.

Ante esta problemática existen algunas técnicas que nos pueden ser de mucha ayuda:

• La primera es la denominada “Long Tail SEO” que consiste en abordar el posicionamiento de un término muy competitivo, posicionándonos por términos relacionados con mucha menos competencia. Por ejemplo, en vez de buscar posicionarnos por “Comprar casa” podríamos optar por posicionar nuestra web por una serie de términos como “Comprar casa en Bilbao” o “Comprar casa barata en Bilbao”.

• Una segunda técnica consiste en sacar provecho de los errores ortográficos de los usuarios de Google para posicionar nuestra web por keywords escritos deliberadamente mal. ¿Se imagina la cantidad de maneras diferentes de escribir “Britney Spear” que se le pueden ocurrir a una persona? En este sentido existen herramientas como la herramienta de sugerencia de keywords de Adwords que nos pueden ser de ayuda.

• Por último, y no por ellos menos importante: la anticipación. Un SEO debe anticiparse a la noticia porque de esta manera contará con menos competencia. Desde PandaLabs se viene advirtiendo cómo, minutos después de que haya acontecido cualquier catástrofe o suceso de calado mundial, surgen en las primeras posiciones de Google multitud de páginas webs fraudulentas que utilizan el suceso para beneficio propio.

Siempre nos quedará París

¿Y qué puede hacer un usuario ante esta nueva amenaza? Es importante que mantenga su navegador actualizado para que los Hackers no puedan sacar provecho de ninguna vulnerabilidad e infectar su ordenador. Google persigue este tipo de ciberdelincuencia, penalizando las webs fraudulentas y advirtiendo a sus usuarios sobre los sitios webs potencialmente peligrosos. También existen plugins para el navegador como Web Of Trust que nos advierten cuando lleguemos a webs fraudulentas.

Pero nuevamente el sentido común vuelve a ser nuestro mejor aliado, desconfíe de cualquier web lo mismo que desconfiaría de un extraño en la calle; antes de hacer una donación asegúrese de que el número de cuenta al que envía los fondos corresponde realmente con una entidad, evite las descargar ilegales y analice con su antivirus cualquier archivo antes de instalarlo.

Si como dijo Miguel Delibes- Internet es el infierno- yo añadiría- que Google es su puerta.

Iñaki Gorostiza trabaja en Panda Security como responsable de Desarrollo Web, y desde su incorporación en 2002 ha participado en un buen número de proyectos de la compañía, casi siempre en el área de desarrollo y la promoción online. Puedes contactar con él a través de su blog http://www.hellogoogle.com ,donde publica artículos que ayudan a las empresas a crecer en  Internet, y en Twitter en http://twitter.com/hello_google.

Posted by Nerea Bezares, 29th October, 2009

Computer fraud is an everyday issue. We are becoming accustomed to hearing on the news about criminal groups that clone credit cards, hack mail accounts, bank accounts, etc.                                                                                                                                                                               

Most of these scams are carried out withour the user’s knowledge. The process is transparent until the scam is complete. However, in the case of phishing, users knowingly send their bank details to an email address (or website), and therefore have an active role in the scam.
 
Despite the best efforts of banks to warn users about these risks, victims still fall into the same traps. Today however, I would like to talk about another scam we have encountered on the Internet. It’s a traditional scam adapted to use a combination of new technologies to defraud users.
 
Ever heard of the pigeon drop scam before? Basically, it involves convincing a victim or ‘pigeon’ to give up a sum of money in order to obtain a larger sum of money. The result however is that the scammers end up with all the money.

There are many variations, but typically, the victim is presented with the chance by one of the scammers -who will often appear to be extremely naïve or stupid- to get a large sum of money (or valuable object) in exchange for a much smaller amount. A stranger (in reality, one of the scammers) will invariably appear, encouraging the victim to seize this ‘opportunity’. The victim hands over his money in exchange for the bag or envelope containing his sudden windfall, which, as the bag has been switched, turns out to be strips of newspaper or other worthless material. By this time the scammers have made off with the victim’s money, and the ‘pigeon’ will rarely report the crime through guilt or shame.
 
As innovation is all the rage among the criminal fraternity, we now have a technological version of this traditional scam. A user receives an email explaining how easy it is to become a hacker and get hold of a list of credit card numbers which can then be used to buy things online, transfer money out of people’s accounts, etc.

To access the list, the user simply has to forward his own credit card details to the sender of the email, who is –needless to say- the real hacker. The hacker will then be able to use the credit card for whatever he wants. The scammed user will not know how to explain it to the authorities, as on the one hand, he has given out his details voluntarily, and on the other, he did so to steal from other users.
 
What do you think about this scam? Do you think those who attempt to scam others deserve what they get?

We remind you we are in the  Tech Support Forum and on http://twitter.com/PandaTechSup

Posted by Sean-Paul Correll, October 21,  2009
     
Banking Trojans are one of the most prevalent Malware species in the threat landscape today.  Malware authors aim to keep infections live and undetected long enough so that they can get what they are really after: money.

Financial motivations lead malware developers to craft the stealthiest banking Trojans to steal personal and financial data for further exploitation on the black market.  Day after day innocent victims are hacked with the end result being an emptied out bank account.

This video demonstrates how dangerous and stealthy banking Trojans can be and why we must continue to raise awareness on the issue.

Make sure your Panda Security–antivirus  solution is up-to-date, we’ll take care of protecting you while you use your bank online.
As you can see, the criminal mind is quite creative, but you can avoid falling victim by paying attention and implementing the necessary security measures.

Would you like us to mention any other information that can help people avoid these crimes? Why not tell us about it?

If you still have a banking trojan problem, we remind you we are in the  Tech Support Forum and on http://twitter.com/PandaTechSup

e-Knowledge Department

Posted by Blanca Carton September 17, 2009

Although the Internet is a great source for job offers and other opportunities, it is also frequently exploited by hackers to defraud users quickly and anonymously.

A typical example of this comes in the form of junk mail –or spam- that will no doubt have reached your mailbox at some time. This junk mail offers many things:

• Easy money for taking part in a competition by dialing a premium-rate number.
• Information from your bank, promising a gift or asking for your login details (or credit card number and password).
• Job offers promising incredible salaries… asking you to dial a number or send your CV together with a certain amount of money (supposedly to cover administrative costs).
• Tax returns… claiming they need the user’s credit card number and password to complete the transaction.

Remember:

1. No company/bank would ever request your account number and password by email/phone. This data is confidential. 
2. Follow the safe online purchase/payment procedure we have outlined before Some Safe Online Shopping Tips.
3. Never be rushed into a decision. If you have any doubts, contact your consumer advice office.
4. Keep your antivirus up-to-date. This will help you prevent spam.

Tell us about your experience.

Blanca Carton

Posted by Leyre August 19, 2009

The first thing you must do in order to protect your computer and data is to create a safe password, especially in these days, with the prominence of social networks. People tend to use easy-to-remember passwords, but this is a risk, as hackers can then easily access your confidential information. It is common sense, or would you leave the door of your car unlocked just because it is easier to open it? You wouldn´t, right? Same happens with password safety. Here go a  few useful tips.

DONT´s when creating a password

1. Never use passwords that can be found in a dictionary. They can be cracked with clever – and even not-so-clever – password hacking programs.
2. Never use password containing less than 8-characters long. The shorter the password is, the easier it gets to guess it.
3. Never place numbers after the password if the password Word can be found in a dictionary. It is best to insert numbers and special characters in between a word or replace some of the letters by special characters, for example,  Charles – Ch@rlE$
   This is a little safer.
4. Your cat’s name is not unique. Leave it alone Ditto your name, your birthday, your mum’s maiden name or your birthday.

DO´s when creating  a strong password

1. If you want to have a password which is easy to remember but hard to guess, memorize a sentence. Then, use the initial of each of the words of the sentence as the password. Then add a final point or a special character  (!, @, #, $, %, ^, &, *) at the end, followed by two numbers and a capital letter.For example: April is the month of rain – ( Aitmor@05 )
2. Always use a password that is between 8-14 characters, minimum 8.
3. Combine capital and lower case letters in your password.
4. And if you do need to write it down, try not to do it on a piece of paper entitled “Internet Banking Passwords”
5. Change your password every 30 days.
6. Make sure the user name and password are different

For more information, check out PandaLab´s blog post on Social networking, Passwords and privacy and watch the following video to quickly review the most important tips!!

What do you think about this article? Do you want to share your experiences with us? We would love to hear from you!!

Posted by Blanca, 07 August, 2009

Internet is an exceptional tool, it makes several tasks easier. However, being used for business and communication increases the possibilities of fraud.

Occasionally, online fraud scams are reported. To carry out online scams, hackers send an email passing themselves off as a bank. The email is used as bait, and readers are told their accounts must be checked, their information must be updated or that they must restore their password or PIN.  On accessing the message, they are redirected to a fake website, and on entering their details the information is sent to hackers, who from then on have access to the accounts.

This type of crime is called Phishing. If hackers obtains the victim’s password they will have access to the victim’s account and can wipe it out. Worse still, they can steal the victim’s identity.

These e-mails appear to come from a legitimate company, usually a financial institution or credit card issuer (though many like to use eBay and PayPal), urging you to take immediate action so your account is not deactiviated.

To increase the chance that they can trick you, they’ll even use the company’s logo, colors, and standard disclosure text. The e-mail will usually contain a link that takes you to a fake site made to look like the company’s legitimate web site.

Obvious clues that an e-mail is a phishing scam include:

• Misspellings and poor grammar. 
• Web site does not have “https://” in the address bar at the top. Legitimate companies employ secure socket layers (SSL) technology to encrypt your personal data. 
• Urgent tone or call to action. Phishing e-mails will allude to dire consequences like, “your account will be deactivated if you do not respond within 24 hours…” in the text. 
• Requests for personal information like social security number, account numbers, credit card information.

Email phishing is the most common form of phishing used by hackers nowadays. However, they also carry out phone phishing by calling people at home or at work. We recommend you to be very careful on answering questions, especially when talking to people who claim to work in the bank you have your savings in.

Remember that no responsible bank or financial institution requests personal and/or sensitive customer data via email or phone.

How to prevent becoming a victim of Phishing.

1. Be wary of unsolicited phone calls, visits or emails requesting personal or confidential information. 
2. Do not send personal or financial information via the Internet, unless you know the recipient.
3. Download program applications and updates directly from the provider’s website.
4. Pay attention to the website’s address. Some malicious websites are identical to the legitimate one, but use different addresses (i.e. www.paypal.Inc.com), when the original address is www.paypal.com.
5. Install your Panda Security antivirus, firewall, browser and e-mail filters and keep them up-to-date to reduce phishing traffic and spam.
6. Frequently check your accounts to make sure there are no inexplicable transactions. 
7. If you think an account or credit card has been compromised, immediately contact your bank and close the corresponding account.

Remember that one of the ways of fighting against fraud is to not becoming a victim; if, as an Internet user you learn to prevent falling victim to hackers, they will have to find benefits elsewhere.

How about you? Have you ever known anybody who has experienced Phishing attacks? Any other useful tips to prevent it? We are all ears!!