Web attackers have mastered Search Engine Optimization (SEO) techniques and use them in interesting ways. One technique, for example, is known as cloaking. In webmaster circles, cloaking can be used to serve one set of content to a search engine spider while serving a different (slightly or completely) set of content to a human visitor. Cloaking can be performed based on various criteria, including User-Agent, Language, Charset, IP address, or the referrer. While in some cases cloaking can be used to artificially inflate the pertinence of a particular page to a specific search query, there can be perfectly legitimate (and desirable) uses of cloaking.

As an example, a site might deliver a search spider a copy of the page in English, but then deliver a localized version of the same content to a visitor determined to be from Germany. Or a site that requires registration to see certain content may deliver the content in unrestricted form to search engines spiders so that it can be properly indexed.

Today, attackers increasingly use cloaking not to trick search engines, but rather to deliver custom exploits, or target specific locales (known as geotargeting), or to prevent repeated access from the same IP address.

In the ongoing SQL injection attacks, an offshoot of cloaking can be seen in the following excerpt from ngg.js, one of the malicious javascript references delivered by some of the compromised sites:

window.status="";
n=navigator.userLanguage.toUpperCase();
if((n!="ZH-CN")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")&&(n!="ZH")&&(n!="HI")&&(n!="TH")&&(n!="UR")&&(n!="VI"))

In other words, the mal-script is deliberately bypassing users who have language character sets matching one of the following:

ZH-CN = Chinese Simplified
ZH-TW = Chinese Traditional
KO = Korean
RU = Russian
HI = Hindi
VI = Vietnamese
UR = Urdu (Pakistan/India)