Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/22/2020
02:00 PM
David Balaban
David Balaban
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

New Google Search Hacks Push Viruses & Porn

Three incidents demonstrate how cybercriminals leverage the scourge of black-hat search engine optimization to manipulate search results.

Computers can be hacked, smartphones can be jailbroken, and Internet of Things devices in a smart home are low-hanging fruit for remote attackers.

And it turns out that search engines are vulnerable as well due to algorithmic imperfections or zero-day exploits the providers are unaware of. Well-motivated, technically adept cybercriminals with plenty of time and the right tools on their hands can cheat these systems at will. In fact, this is what is happening incessantly in this area.

Google, the world's search heavyweight with cutting-edge technologies at its core, is in the same boat. The scourge of black-hat search engine optimization (SEO) dominates the ecosystem of methods used to manipulate the tech giant's search logic and pollute its results with dubious content.

These three incidents demonstrate how cybercriminals can get mileage out of the slightest opportunity to circumvent Google's countermeasures for foul play. 

Related Content:

6 Lessons IT Security Can Learn From DevOps

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: Don't Fall for It! Defending Against Deepfakes

Harmful Apps Spreading Via Compromised Sites
A classic technique to boost the search rankings of a malware-laden website is to fuel its online authority with strong backlinks obtained in an unethical way. As Google algorithms are becoming more sophisticated over time, it is getting harder for scammers to pull off this old-school trick. Instead of taking this route, some crooks abuse trusted websites that already rank high in search results.

A hoax of that kind was spotted in August. To set it in motion, fraudsters compromised a series of websites used by the US federal government, popular colleges, and international organizations.

The government-related resources hit by the threat actors included sites for Colorado, Minnesota, San Diego, and the National Cancer Institute. The attackers also took over the official sites for UNESCO, the University of Washington, the University of Iowa, the University of Michigan, and others.

These raids were just a means to an end, though. The felons mishandled their foothold in those sites to publish articles about hacking different social network accounts. The UNESCO site, for example, contained a post about breaching any user's Instagram account in two minutes.

Since the compromised resources boast high domain authority, the sketchy content published on them ended up on the first page of Google. When visited, these articles would bait users with links supposedly leading to the sought-after hacking software, but with a caveat. To unlock the password brute-forcing functionality, people were told to click an extra link and download the coveted component.

Predictably enough, the link would forward the wannabe hackers to online frauds aimed at wheedling out their credit card details and other sensitive data. More unnervingly, stealthy scripts on some of the resulting pages would deposit malware on visitors' computers. 

The entry point for the attacks mainly boiled down to known loopholes in major content management systems. For instance, the Webform module, a hugely popular form builder and submission manager for Drupal, was exploited in some of these incidents. 

With that said, it is quite unnerving that websites used by high-profile government and educational organizations have gaping holes that make them low-hanging fruit. 

Federal Government Sites Rerouting to Adult Pages
In July, security analysts unearthed a black-hat SEO campaign hinging on a clever trick to poison Google search results with links to porn sites. This exploitation piggybacks on the Open Redirect bug, also known as Unvalidated Redirects and Forwards, a notorious loophole used to orchestrate online scams and phishing attacks for years. It allows a bad actor to create a knockoff URL that looks like a trusted domain name displayed on Google and thus gives users a false sense of security.

However, when a user unwittingly clicks that link, it triggers a redirect to a rogue site instead of the legitimate one. Here is an illustration of what such a link may look like: hxxps://www.benign-page.gov/login.html?RelayState=hxxp://hacker-page.com. The .gov string is the only one reflected in search results. Unsurprisingly, it does not set off alarm bells.

In this particular hoax, malefactors camouflaged their links as URLs used by several dozen federal and local government sites. This way, unsuspecting users ended up on adult web pages, and the ne'er-do-wells probably got an affiliate reward for each redirect. 

Some of the high-profile resources mimicked in this particular campaign include sites for the Kentucky Board of Home Inspectors, the Louisiana State Senate, and the National Weather Service, to name a few.

Coronavirus Theme Used as a Decoy
In February, researchers at Imperva discovered a shady campaign that cashes in on the COVID-19 scare to take its operators' black-hat SEO to the next level during the pandemic. The crooks have been generating massive amounts of comment spam to promote fake online pharmacies.

To improve Google rankings of these rogue Internet drugstores, their proprietors leverage bots that flood numerous sites with comments riddled with links to those marketplaces. Healthcare-related forums are being targeted the most.

There are several ways the spammers take advantage of these numerous comments. The obvious one is that many people may click the links out of curiosity, only to end up on a site that advertises worthless replicas of popular prescription drugs. Another benefit is more intricate. Websites mishandled by the fraudsters have numerous occurrences of coronavirus-related keywords that are trending these days, and therefore the search engine is likely to rank them high. The linked-to sites earn extra authority scores as well.

The Cat-and-Mouse Game
No other search engine can measure up to Google in terms of user audiences. The reason is clear: It returns relevant results no matter what you ask it. There is no denying that its algorithms are unrivaled, but even so, it cannot pull the plug on black-hat SEO schemes.

The campaigns above show that threat actors can outsmart a system no matter how sophisticated it is. It comes as no surprise that the search giant is continuously stepping up efforts to flush out these frauds. Hopefully, scammers will start lagging rather than be one step ahead of these initiatives sometime soon.

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31476
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.3.37598. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
CVE-2021-31477
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
CVE-2021-32690
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
CVE-2021-32691
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).