informa
/
Cloud
Commentary

New Google Search Hacks Push Viruses & Porn

Three incidents demonstrate how cybercriminals leverage the scourge of black-hat search engine optimization to manipulate search results.

Computers can be hacked, smartphones can be jailbroken, and Internet of Things devices in a smart home are low-hanging fruit for remote attackers.

And it turns out that search engines are vulnerable as well due to algorithmic imperfections or zero-day exploits the providers are unaware of. Well-motivated, technically adept cybercriminals with plenty of time and the right tools on their hands can cheat these systems at will. In fact, this is what is happening incessantly in this area.

Google, the world's search heavyweight with cutting-edge technologies at its core, is in the same boat. The scourge of black-hat search engine optimization (SEO) dominates the ecosystem of methods used to manipulate the tech giant's search logic and pollute its results with dubious content.

These three incidents demonstrate how cybercriminals can get mileage out of the slightest opportunity to circumvent Google's countermeasures for foul play. 

Harmful Apps Spreading Via Compromised Sites
A classic technique to boost the search rankings of a malware-laden website is to fuel its online authority with strong backlinks obtained in an unethical way. As Google algorithms are becoming more sophisticated over time, it is getting harder for scammers to pull off this old-school trick. Instead of taking this route, some crooks abuse trusted websites that already rank high in search results.

A hoax of that kind was spotted in August. To set it in motion, fraudsters compromised a series of websites used by the US federal government, popular colleges, and international organizations.

The government-related resources hit by the threat actors included sites for Colorado, Minnesota, San Diego, and the National Cancer Institute. The attackers also took over the official sites for UNESCO, the University of Washington, the University of Iowa, the University of Michigan, and others.

These raids were just a means to an end, though. The felons mishandled their foothold in those sites to publish articles about hacking different social network accounts. The UNESCO site, for example, contained a post about breaching any user's Instagram account in two minutes.

Since the compromised resources boast high domain authority, the sketchy content published on them ended up on the first page of Google. When visited, these articles would bait users with links supposedly leading to the sought-after hacking software, but with a caveat. To unlock the password brute-forcing functionality, people were told to click an extra link and download the coveted component.

Predictably enough, the link would forward the wannabe hackers to online frauds aimed at wheedling out their credit card details and other sensitive data. More unnervingly, stealthy scripts on some of the resulting pages would deposit malware on visitors' computers. 

The entry point for the attacks mainly boiled down to known loopholes in major content management systems. For instance, the Webform module, a hugely popular form builder and submission manager for Drupal, was exploited in some of these incidents. 

With that said, it is quite unnerving that websites used by high-profile government and educational organizations have gaping holes that make them low-hanging fruit. 

Federal Government Sites Rerouting to Adult Pages
In July, security analysts unearthed a black-hat SEO campaign hinging on a clever trick to poison Google search results with links to porn sites. This exploitation piggybacks on the Open Redirect bug, also known as Unvalidated Redirects and Forwards, a notorious loophole used to orchestrate online scams and phishing attacks for years. It allows a bad actor to create a knockoff URL that looks like a trusted domain name displayed on Google and thus gives users a false sense of security.

However, when a user unwittingly clicks that link, it triggers a redirect to a rogue site instead of the legitimate one. Here is an illustration of what such a link may look like: hxxps://www.benign-page.gov/login.html?RelayState=hxxp://hacker-page.com. The .gov string is the only one reflected in search results. Unsurprisingly, it does not set off alarm bells.

In this particular hoax, malefactors camouflaged their links as URLs used by several dozen federal and local government sites. This way, unsuspecting users ended up on adult web pages, and the ne'er-do-wells probably got an affiliate reward for each redirect. 

Some of the high-profile resources mimicked in this particular campaign include sites for the Kentucky Board of Home Inspectors, the Louisiana State Senate, and the National Weather Service, to name a few.

Coronavirus Theme Used as a Decoy
In February, researchers at Imperva discovered a shady campaign that cashes in on the COVID-19 scare to take its operators' black-hat SEO to the next level during the pandemic. The crooks have been generating massive amounts of comment spam to promote fake online pharmacies.

To improve Google rankings of these rogue Internet drugstores, their proprietors leverage bots that flood numerous sites with comments riddled with links to those marketplaces. Healthcare-related forums are being targeted the most.

There are several ways the spammers take advantage of these numerous comments. The obvious one is that many people may click the links out of curiosity, only to end up on a site that advertises worthless replicas of popular prescription drugs. Another benefit is more intricate. Websites mishandled by the fraudsters have numerous occurrences of coronavirus-related keywords that are trending these days, and therefore the search engine is likely to rank them high. The linked-to sites earn extra authority scores as well.

The Cat-and-Mouse Game
No other search engine can measure up to Google in terms of user audiences. The reason is clear: It returns relevant results no matter what you ask it. There is no denying that its algorithms are unrivaled, but even so, it cannot pull the plug on black-hat SEO schemes.

The campaigns above show that threat actors can outsmart a system no matter how sophisticated it is. It comes as no surprise that the search giant is continuously stepping up efforts to flush out these frauds. Hopefully, scammers will start lagging rather than be one step ahead of these initiatives sometime soon.

Recommended Reading:
Editors' Choice
Amichai Shulman, CTO and Co-founder of AirEye
Biagio DeSimone, Enterprise Solution Architect, Aqua Security