Using PDF documents to keyword stuff is growing in popularity as it circumvents anti-cloaking mechanisms in Google's algorithms.

Attackers are gaming Google's page ranking-algorithms en masse using a new search poisoning method that circumvents cloaking-detection mechanisms using PDF files. Discovered by researchers from Sophos, the technique is now being found in use within hundreds of thousands of unique PDF documents per day detected by the firm.

Always refining its search algorithms, Google is constantly on the lookout for new methods that attackers and unscrupulous search engine optimization (SEO) practitioners use to manipulate its system to gain higher search rankings. The practice of "cloaking" to fool Google's page indexer has been known for a while. It's a method of serving the Googlebot with content stuffed with keywords to mislead it into thinking a site is relevant to trending search terms.

In the past, this technique was heavily used in malware attacks, so that searching for “Justin Bieber” and then following a link found in search results could actually take you to an exploit-ridden malicious website instead," explains Dmitry Samosseiko, director of global threat research for Sophos, in a blog post about the discovery.

Google has built in protections within its algorithm to make it harder to cloak sites via fake HTML pages, but now attackers have pivoted by using phony PDFs instead.

"As far as we can tell, Google’s cloaking-detection algorithms, which aim to spot web pages that have been artificially (and unrealistically) loaded with keywords, aren’t quite so strict when the bogus content is supplied in a document. It seems that Google implicitly trusts PDFs more than HTML, in the same way that it trusts links on .edu and .gov sites more than those on commercial web pages," wrote Samosseiko.

Attackers are using this weakness to manipulate Google page rankings and give these documents high search rankings. Once that's accomplished, attackers are able to redirect users clicking into the PDF to a different site.

"We suspect that this technique could be used for a variety of purposes, including the distribution of malware," Samosseiko says. "So far, however, we have only seen it in a marketing campaign to promote so-called 'binary trading' broker services."

Sophos researchers said that they did provide detailed information about their findings, but that the Internet giant did not comment further on the discovery.

"We trust that the necessary measures are being taken to counter these search result poisoning attempts," Samosseiko says.

About the Author(s)

Ericka Chickowski, Contributing Writer

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights