These New Google Search Hacks Push Viruses and Porn

An entirely foolproof digital system has yet to be masterminded. Meanwhile, this is wishful thinking. Computers can be hacked, smartphones can be jailbroken, and IoT devices in a smart home are low-hanging fruit for remote attackers.

Search engines are not perfect either due to algorithmic imperfections or zero-day exploits the providers are unaware of. Well-motivated, technically adept cybercriminals with plenty of time and the right tools on their hands can cheat these systems at will. In fact, this is what is happening incessantly in this area.

Google, the world’s web search heavyweight with cutting-edge technologies at its core, is in the same boat. The scourge of black hat search engine optimization (SEO) dominates the ecosystem of methods used to manipulate the tech giant’s search logic and pollute its results with dubious content.

The following incidents demonstrate how cybercriminals can get mileage out of the slightest opportunity to circumvent Google’s countermeasures for foul play.

Here is a spoiler: it turns out that gaming the system is not as hard as you probably thought it was.

 

HARMFUL APPS SPREADING VIA COMPROMISED GOVERNMENT AND COLLEGE SITES

A classic technique to boost the search rankings of a malware-laden website is to fuel its online authority with strong backlinks obtained in an unethical way. As Google algorithms are becoming more sophisticated over time, it is growingly challenging for scammers to pull off this old-school trick. Instead of taking this route, some crooks abuse trusted websites that already rank high in search results.

A hoax of that kind was spotted in August 2020. To set it in motion, fraudsters compromised a series of websites used by the U.S. federal government, popular colleges, and international organizations.

The government-related web resources hit by the threat actors included sites for Colorado, Minnesota, San Diego, the National Institute of Health, and the National Cancer Institute. The attackers also took over the official sites for UNESCO, Arizona State University, the University of Washington, the University of Iowa, the University of Michigan, Rochester Institute of Technology, the University of Maryland, and Rutgers University.

These raids were just a means to an end, though. The felons mishandled their foothold in those sites to publish articles about hacking different social network accounts. The UNESCO site, for example, contained a post about breaching any user’s Instagram account in two minutes.

Since the compromised resources boast high domain authority, the sketchy content published on them ended up on the first page of Google by the relevant queries. When visited, these articles would bait users with links supposedly leading to the sought-after hacking software, but with a caveat. To unlock the password brute-forcing functionality, people were told to click an extra link and download the coveted component.

Predictably enough, the link would forward the wannabe hackers to online frauds aimed at wheedling out their credit card details and other sensitive data. More unnervingly, stealthy scripts on some of the resulting pages would deposit malware on visitors’ computers. A notorious virus loading application called Emotet was on the list of these payloads.

When security analysts dug deeper, they discovered a larger network of compromised websites pushing phony hacking tools that purportedly allowed people to take over accounts for other popular services, including Facebook, Netflix, TikTok, WhatsApp, and Snapchat.

How attackers can compromise popular websites

The entry point for the attacks mainly boiled down to known loopholes in major content management systems (CMS). For instance, the Webform module, a hugely popular form builder and submission manager for Drupal, was exploited in some of these incidents. The perpetrators used this bug to upload PDF documents that contained booby-trapped links to download pseudo-hacking tools.

With that said, it is quite unnerving that websites used by high-profile government and educational organizations have gaping holes that make them low-hanging fruit. One more consideration in this regard is that the success of this campaign is fueled by users’ desire to hack someone else’s online account. That is the kind of information the would-be victims were looking up on Google, only to be ambushed down the line.

 

FEDERAL GOVERNMENT SITES REROUTING TO ADULT PAGES

In July 2020, security analysts unearthed a black hat SEO campaign hinging on a clever trick to poison Google search results with links to porn websites. This exploitation piggybacks on the Open Redirect bug, also known as “Unvalidated Redirects and Forwards.”

This is a notorious loophole used to orchestrate online scams and phishing attacks for years. It allows a bad actor to create a knock-off URL that looks exactly like a trusted domain name displayed on Google and thus gives users a false sense of security.

However, when a user unwittingly clicks that link, it triggers a redirect to a rogue site instead of the legitimate one. Here is an illustration of what such a link may look like: hxxps://www.benign-page.gov/login.html?RelayState=hxxp://evil-page.com. The .gov string is the only one reflected in search results. Unsurprisingly, it does not set off alarm bells.

In this particular hoax, malefactors camouflaged their links as URLs used by several dozen federal and local government sites. This way, unsuspecting users ended up on adult web pages, and the ne’er-do-wells probably got an affiliate reward for each redirect. By the way, these shenanigans are not restricted to mimicking .gov portals. The malicious actors in charge of this ruse scour numerous popular sites for Open Redirect scripts and parasitize them once spotted.

Some of the high-profile resources mimicked in this particular campaign include sites for the Kentucky Board of Home Inspectors, the Louisiana State Senate, the National Weather Service, and the Colorado Department of Higher Education, to name a few.

It remains unknown how the scammers duped Google’s algorithms into giving malicious URLs the green light to show up in search results. The silver lining is that the fraudulent pages are not distributing malicious programs such as ransomware or banking Trojans. The promoted X-rated content still leaves an embarrassing aftertaste, though.

 

CORONAVIRUS THEME USED AS A DECOY

In February 2020, researchers at cybersecurity company Imperva discovered a shady campaign that cashes in on the COVID-19 scare to take its operators’ black hat SEO to the next level during the pandemic. The crooks have been generating massive amounts of comment spam to promote fake online pharmacies.

Also known as pharma spam, this phenomenon splashed back onto the scene after nearly a decade of very idle activity. Its operators’ schemes underwent some notable transformations as compared to old-school techniques. One of the most conspicuous changes is that they are now trying to game Google search results in addition to generating thousands of junk messages that are not likely to slip past modern email filters.

To improve Google rankings of these rogue Internet drug stores, their proprietors leverage bots that flood numerous sites with comments riddled with links to those marketplaces. Healthcare-related forums are being targeted the most.

There are several ways the spammers take advantage of this foul play. The obvious one is that many people may click the links out of curiosity, only to end up on a site that advertises worthless replicas of popular prescription drugs. Another benefit is more intricate. Websites mishandled by the fraudsters have numerous occurrences of coronavirus-related keywords that are trending these days, and therefore the search engine is likely to rank them high. The linked-to sites earn extra authority scores as well.

While most of these landing pages are knock-off drug stores, some are seemingly harmless sites containing a few academic research articles or replicas of the hugely popular interactive coronavirus dashboard provided by the John Hopkins University. However, if certain elements on them are clicked, the visitors are instantly redirected to bogus pharmacies. This artifice proves that cybercriminals follow the headlines and dexterously adjust their chicanery to the current circumstances.

 

THE CAT-AND-MOUSE GAME

No other search engine can measure up to Google in terms of user audiences. The reason is clear: it returns relevant results no matter what you ask it. There is no denying that its algorithms are unrivaled, but even so, it cannot pull the plug on black hat SEO schemes.

The campaigns above show that threat actors can outsmart a system no matter how sophisticated it is. It comes as no surprise that the search giant is continuously stepping up efforts to flush out these frauds. Hopefully, scammers will start lagging rather than be one step ahead of these initiatives sometime soon.

Techvera icon

Written by David Balaban

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
l

October 2, 2020

You May Also Like…

Skip to content