Websense Security Labs Threatseeker network has detected the Black Hat SEO attack on a domain that belongs to the United Nations Environment Programme (UNEP). The domain appears to be compromised by a number of medical spam-related URLs, most of which are compromised sites themselves. As you can see from the screenshots below, unless you were to view the source code for the Web page, it is almost impossible to know that this page has been modified.
The sub-domain in question is the Sustainable Energy Finance Initiative (SEFI) site - sefi.unep.org. SEFI is a division of UNEP and provides support and tools to financiers in regards to the use of clean energy technologies.
Like most Black Hat SEO attacks on compromised sites, the site tends to look perfectly fine, and there is no indication that the site has been compromised.
However further analysis of the source code reveals that the entire block for the Black Hat SEO is appended to the end of the HTML code. Also notice that the code contains a hidden disposition, and the height and width pertaining to the size of the displayed content is set to zero.
Trailing through a chunk of the appended code, you can see the use of drug names such as 'viagra' and 'levitra'. These keywords help result in a better search engine ranking.
Most of the mainstream search engines such as Google know of these tricks and do their best to prevent these attacks, but it does not always work. However, the prevention success rate is higher for well-known search engines compared to the less mainstream ones.
At the time of posting this blog, the Black Hat SEO threat has been removed and the sefi.unep.org Web site is safe for browsing.