Researchers from Sophos discovered the new search poisoning method used to circumvent cloaking-detection mechanisms implemented by Google. The experts found hundreds of thousands of unique PDF documents per day implementing the poisoning technique.
The term cloaking indicates the practice to deceive Google’s page indexer, basically the various methods are designed to serve the web crawler (Googlebot) with content that is crafted to mislead Google into considering a site relevant for the researchers on specific terms.
Despite Google continually refine its search algorithms, experts try to optimize their websites to obtain high rankings. Black Hat Search Engine Optimization (SEO) is the techniques the criminals and hackers use to rapidly increase the ranking of their domain before the search engine will ban them. Black Hat SEO motivations are always financial, hackers operate to earn from the traffic they redirect to a specific domain that could be used for several illegal activities, including the spreading of malware.
Google implements numerous countermeasures against this practice to make it harder to cloak sites, but bad actors in the wild have started to use phony PDFs.
Basically, Google seems to trust more PDF that common HTML page, trusting the links the PDF files contain and the keywords used in their composition.
“As far as we can tell, Google’s cloaking-detection algorithms, which aim to spot web pages that have been artificially (and unrealistically) loaded with keywords, aren’t quite so strict when the bogus content is supplied in a document. It seems that Google implicitly trusts PDFs more than HTML, in the same way that it trusts links on .edu and .gov sites more than those on commercial web pages,” wrote Dmitry Samosseiko, director of global threat research for Sophos.
Attackers are using this method to manipulate Google page ranking, the PDF documents in this way receive a high search ranking and are used to redirect users clicking into the PDF to a different site used for several malicious purposes (i.e. to serve a malware, for phishing campaigns, etc.).
“A document that looks legitimate at first glance turns into complete nonsense when you start reading it. Also, you can clearly see the hyperlinks placed throughout the document. Those are the links that, when followed, expose the whole link farm to the Googlebot.”
“We suspect that this technique could be used for a variety of purposes, including the distribution of malware,” Samosseiko says. “So far, however, we have only seen it in a marketing campaign to promote so-called ‘binary trading’ broker services.”
Sophos reported the illegal practice to Google and they expect a prompt action of the company to prevent further abuses.
“We trust that the necessary measures are being taken to counter these search result poisoning attempts,” Samosseiko added.
(Security Affairs – Google, search engine)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.