Pierluigi Paganini July 08, 2015

Researchers from Sophos discovered the new search poisoning method used to circumvent cloaking-detection mechanisms implemented by Google. The experts found hundreds of thousands of unique PDF documents per day implementing the poisoning technique.

The term cloaking indicates the practice to deceive Google’s page indexer, basically the various methods are designed to serve the web crawler (Googlebot) with content that is crafted to mislead Google into considering a site relevant for the researchers on specific terms.

Despite Google continually refine its search algorithms, experts try to optimize their websites to obtain high rankings. Black Hat Search Engine Optimization (SEO) is the techniques the criminals and hackers use to rapidly increase the ranking of their domain before the search engine will ban them. Black Hat SEO motivations are always financial, hackers operate to earn from the traffic they redirect to a specific domain that could be used for several illegal activities, including the spreading of malware.

Google implements numerous countermeasures against this practice to make it harder to cloak sites, but bad actors in the wild have started to use phony PDFs.

Basically, Google seems to trust more PDF that common HTML page, trusting the links the PDF files contain and the keywords used in their composition.

“As far as we can tell, Google’s cloaking-detection algorithms, which aim to spot web pages that have been artificially (and unrealistically) loaded with keywords, aren’t quite so strict when the bogus content is supplied in a document. It seems that Google implicitly trusts PDFs more than HTML, in the same way that it trusts links on .edu and .gov sites more than those on commercial web pages,” wrote Dmitry Samosseiko, director of global threat research for Sophos.

Attackers are using this method to manipulate Google page ranking, the PDF documents in this way receive a high search ranking and are used to redirect users clicking into the PDF to a different site used for several malicious purposes (i.e. to serve a malware, for phishing campaigns, etc.).

“A document that looks legitimate at first glance turns into complete nonsense when you start reading it. Also, you can clearly see the hyperlinks placed throughout the document. Those are the links that, when followed, expose the whole link farm to the Googlebot.”

“We suspect that this technique could be used for a variety of purposes, including the distribution of malware,” Samosseiko says. “So far, however, we have only seen it in a marketing campaign to promote so-called ‘binary trading’ broker services.”

Sophos reported the illegal practice to Google and they expect a prompt action of the company to prevent further abuses.

“We trust that the necessary measures are being taken to counter these search result poisoning attempts,” Samosseiko added.

Pierluigi Paganini

(Security Affairs – Google, search engine)

[adrotate banner=”5″]

[adrotate banner=”13″]