Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/22/2020
02:00 PM
David Balaban
David Balaban
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

New Google Search Hacks Push Viruses & Porn

Three incidents demonstrate how cybercriminals leverage the scourge of black-hat search engine optimization to manipulate search results.

Computers can be hacked, smartphones can be jailbroken, and Internet of Things devices in a smart home are low-hanging fruit for remote attackers.

And it turns out that search engines are vulnerable as well due to algorithmic imperfections or zero-day exploits the providers are unaware of. Well-motivated, technically adept cybercriminals with plenty of time and the right tools on their hands can cheat these systems at will. In fact, this is what is happening incessantly in this area.

Google, the world's search heavyweight with cutting-edge technologies at its core, is in the same boat. The scourge of black-hat search engine optimization (SEO) dominates the ecosystem of methods used to manipulate the tech giant's search logic and pollute its results with dubious content.

These three incidents demonstrate how cybercriminals can get mileage out of the slightest opportunity to circumvent Google's countermeasures for foul play. 

Related Content:

6 Lessons IT Security Can Learn From DevOps

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: Don't Fall for It! Defending Against Deepfakes

Harmful Apps Spreading Via Compromised Sites
A classic technique to boost the search rankings of a malware-laden website is to fuel its online authority with strong backlinks obtained in an unethical way. As Google algorithms are becoming more sophisticated over time, it is getting harder for scammers to pull off this old-school trick. Instead of taking this route, some crooks abuse trusted websites that already rank high in search results.

A hoax of that kind was spotted in August. To set it in motion, fraudsters compromised a series of websites used by the US federal government, popular colleges, and international organizations.

The government-related resources hit by the threat actors included sites for Colorado, Minnesota, San Diego, and the National Cancer Institute. The attackers also took over the official sites for UNESCO, the University of Washington, the University of Iowa, the University of Michigan, and others.

These raids were just a means to an end, though. The felons mishandled their foothold in those sites to publish articles about hacking different social network accounts. The UNESCO site, for example, contained a post about breaching any user's Instagram account in two minutes.

Since the compromised resources boast high domain authority, the sketchy content published on them ended up on the first page of Google. When visited, these articles would bait users with links supposedly leading to the sought-after hacking software, but with a caveat. To unlock the password brute-forcing functionality, people were told to click an extra link and download the coveted component.

Predictably enough, the link would forward the wannabe hackers to online frauds aimed at wheedling out their credit card details and other sensitive data. More unnervingly, stealthy scripts on some of the resulting pages would deposit malware on visitors' computers. 

The entry point for the attacks mainly boiled down to known loopholes in major content management systems. For instance, the Webform module, a hugely popular form builder and submission manager for Drupal, was exploited in some of these incidents. 

With that said, it is quite unnerving that websites used by high-profile government and educational organizations have gaping holes that make them low-hanging fruit. 

Federal Government Sites Rerouting to Adult Pages
In July, security analysts unearthed a black-hat SEO campaign hinging on a clever trick to poison Google search results with links to porn sites. This exploitation piggybacks on the Open Redirect bug, also known as Unvalidated Redirects and Forwards, a notorious loophole used to orchestrate online scams and phishing attacks for years. It allows a bad actor to create a knockoff URL that looks like a trusted domain name displayed on Google and thus gives users a false sense of security.

However, when a user unwittingly clicks that link, it triggers a redirect to a rogue site instead of the legitimate one. Here is an illustration of what such a link may look like: hxxps://www.benign-page.gov/login.html?RelayState=hxxp://hacker-page.com. The .gov string is the only one reflected in search results. Unsurprisingly, it does not set off alarm bells.

In this particular hoax, malefactors camouflaged their links as URLs used by several dozen federal and local government sites. This way, unsuspecting users ended up on adult web pages, and the ne'er-do-wells probably got an affiliate reward for each redirect. 

Some of the high-profile resources mimicked in this particular campaign include sites for the Kentucky Board of Home Inspectors, the Louisiana State Senate, and the National Weather Service, to name a few.

Coronavirus Theme Used as a Decoy
In February, researchers at Imperva discovered a shady campaign that cashes in on the COVID-19 scare to take its operators' black-hat SEO to the next level during the pandemic. The crooks have been generating massive amounts of comment spam to promote fake online pharmacies.

To improve Google rankings of these rogue Internet drugstores, their proprietors leverage bots that flood numerous sites with comments riddled with links to those marketplaces. Healthcare-related forums are being targeted the most.

There are several ways the spammers take advantage of these numerous comments. The obvious one is that many people may click the links out of curiosity, only to end up on a site that advertises worthless replicas of popular prescription drugs. Another benefit is more intricate. Websites mishandled by the fraudsters have numerous occurrences of coronavirus-related keywords that are trending these days, and therefore the search engine is likely to rank them high. The linked-to sites earn extra authority scores as well.

The Cat-and-Mouse Game
No other search engine can measure up to Google in terms of user audiences. The reason is clear: It returns relevant results no matter what you ask it. There is no denying that its algorithms are unrivaled, but even so, it cannot pull the plug on black-hat SEO schemes.

The campaigns above show that threat actors can outsmart a system no matter how sophisticated it is. It comes as no surprise that the search giant is continuously stepping up efforts to flush out these frauds. Hopefully, scammers will start lagging rather than be one step ahead of these initiatives sometime soon.

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5790
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5791
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
CVE-2020-5792
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.
CVE-2020-25157
PUBLISHED: 2020-10-20
The R-SeeNet webpage (1.5.1 through 2.4.10) suffers from SQL injection, which allows a remote attacker to invoke queries on the database and retrieve sensitive information.
CVE-2020-25648
PUBLISHED: 2020-10-20
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw...