Pierluigi Paganini
January 17, 2014
A Black hat search-engine operation on a large-scale has made possible the hijacking of thousands of hotel listing on Google Maps and Google+, users visiting victims accommodations were redirected to other booking sites. Hijacking a Google+ listing had a ripple effect on Google searches, in this way cyber criminals are able to poison searches for the targeted websites.
The alert has been issued in a report by Search Engine Land, instead of leading to the official hotel websites, the search results point to a third-party booking service (e.g. Roomstobook.info or Roomstobook.net) which redirect visitors to the booking service Hotelswhiz.com.
“Thousands of hotels listed within Google+ Local appear to have had links leading to their official sites “hijacked” and replaced with ones leading to third-party booking services.”
More than 4,000 hotels were victim of the black hat search-engine operation in various countries including the US and UK, the accommodation which suffered the attack include major hotels and bed and breakfasts. The above image shows how the URLs for the accomodation’s official website leads to “courtyardmarriott.roomstobook.info” rather than the legitimate hotel actual page.
Doing a search on Google for Google+ Local listings using these domains adopted in the Black hat search-engine operation, Roomstobook.info or Roomstobook.net, is possible to note how thousands of hotels appear to have been targeted by the cybercriminals.
“Whether any of these companies are ultimately responsible for the hijacking is uncertain. All we know so far is that these listings have been hijacked, but exactly how or why isn’t clear.” commented Danny Sullivan of Search Engine Land in his post.
Google immediately started the cleaning up spills and refused to comment the circumstances, the above search results still provides a huge quantity of listings redirecting users to the wrong sites. Black hat search-engine is are very effective technique to hijack victims, for example to redirect them on compromising website used to server malicious exploits.
“Our analysis of some of the webpages that initiate downloads of Win32/Nymaim reveals that Black hat search-engine Operation is used to make them appear as high as possible in the search results when people search for popular keywords,” said to ESET researcher Jean-Ian Boutin
The specific case is very anomalous, it is still unclear why the attacker poisoned the search results for the victim hotels.
Director of HotelsWhiz.com, Karim Mawani, said to the Guardian that they had not been involved in the traffic redirection to their site.
“We were not involved in the hijackings and we are dealing with the fallout. We reported the redirect issue to Google when we spotted it on 8 January. Because of the backlinks we have been penalised by Google and our site has been paralyzed, so we are victims here,” he said.
The Guardian published an interesting post on the hack speculating on an alleged inside job, it confirmed in fact that anyone with a Google+ account can submit a change to any detail of a Google+ Local page, even if not verified, including the listed website address, phone number, physical address or name of the place. Users can also mark the place as closed, as a duplicate or flag inappropriate reviews or photos, but once submitted, the change must be reviewed by the company.
“Allowing anyone, rather than the verified owner of the business or place in the listing, to submit modifications opens up Google’s system for abuse. An automated correction submission programme could be used to overwhelm the system of check required before a change is verified.” reported the Guardian.
“My prediction is, this was an inside job with someone at Google. Not to be a conspiracy theorist, but any and all modified URLs have to be okay’ed by a Maps moderator. No one is dumb enough to believe the official URL of a hotel lives on roomstobook.info… come on!” said Matthew Hoff of public relations company Merkle, who also discovered modifications made to listings of hotels Merkle represents, in a comment on Sullivan’s story.
Google+ official documentation states that Local pages edits made by business owners and other users will be reviewed prior to publishing for “quality”. Google also states that:
“Our systems may also update your business information based on other data sources or reports from our users, if that information appears to be more up-to-date and accurate for your business.”
The Guardian asked to Google if the review for edits is an automated process, but company did not respond to requests.
“A failure on this scale could indicate that an automated system had been gamed into allowing the hijacks, or that a human had either accidentally or deliberately approved the URL changes.” added the Guardian.
(Security Affairs – Black hat search-engine Operation, cybercrime)
