Any web service with large user audiences is a juicy target for malware distributors and scammers who seek to extend their reach. It comes as no surprise that Google is in the crosshairs of cyber riff-raff whose stratagems are geared toward gaming the world’s most sophisticated search algorithms.
While providing exceptional accuracy of its search results and incredibly effective countermeasures for foul play, the tech giant is not invulnerable to exploitation. Once its engineers pull the plug on known black hat SEO schemes, crooks come up with new ingenious techniques that make the security community frown. This is like a race that goes on and on.
The following cybercrime campaigns reflect the current threat landscape around Google and show how felons outwit its state-of-the-art technologies.
Malicious actors parasitize Google Alerts to serve malware
In a recent move, malware distributors have been baiting users with booby-trapped search results that show up in Google Alerts. This is a popular service that allows you to specify topics of interest and then receive references to relevant stories over email. The sketchy campaign operators in question are publishing rogue news that once indexed, end up in subscribed users’ inboxes.
When an unsuspecting person clicks the link to read one of these eye-catching articles, they are redirected to pages that say their Flash Player is out of date or computer is low on memory or other dubious pages. Many users fall for this trick. The resulting app prompts victims to install potentially unwanted programs (PUPs) down the line.
In some scenarios, these bogus stories lead to pages that try to dupe users into allowing web push notifications. If this permission is granted, the victim will be bombarded by annoying pop-ups that contain malicious links promoting harmful browser extensions or online scams.
Authoritative websites hacked to push dodgy apps
As Google’s algorithms are being constantly refined to identify black hat SEO tricks, it is increasingly hard for crooks to boost their sites’ rankings through shady link-building schemes. Instead, some gangs are taking clever shortcuts.
One of these mechanisms was discovered last August. Cybercriminals exploited known vulnerabilities in Drupal and other content management systems (CMS) to take over several reputable websites used by the U.S. government, educational institutions, and international nonprofit organizations. A few examples are sites for Minnesota, San Diego, UNESCO, the University of Iowa, and the University of Washington.
Having gained unauthorized access to these resources, malefactors published how-tos on ways to hack popular social network accounts. For example, one of these rogue write-ups claimed to provide an easy technique to compromise someone’s Instagram accounts in mere minutes. Because all these websites rank high in Google, the fake materials got strong positions in search results and collected a lot of page views.
The catch was that the alleged hacking tools hoodwinked users into downloading an extra component that would supposedly enable the password cracking feature. But the download link redirected to credential phishing sites and pages hosting info-stealing malware called Emotet.
NSFW links masqueraded as U.S. federal government sites
Another unorthodox hoax broke out in July 2020. Crooks used a vulnerability called Open Redirect to riddle Google search results with legitimate-looking entries leading to adult content. Also referred to as Unvalidated Redirects and Forwards, this long-standing flaw allows perpetrators to mask dubious URLs as trusted ones.
An example is a link in the following format: hxxp://www.good-site.gov/login.html?RelayState=hxxp://evil-site.com. It will only reveal the *.gov part in search listings while forwarding a user to the shadowy domain that remains hidden.
In this campaign, crooks cloaked their pages as URLs used by multiple U.S. federal government sites, including those for the Louisiana State Senate and the National Weather Service. Instead of visiting the intended resources, though, users would be rerouted to porn pages whose owners reward affiliates for unique leads.
COVID-19 theme used to ensnare users
When the coronavirus crisis took the world by storm, malicious actors got busy exploiting the “infodemic.” In one of these black hat SEO scams, they launched a large-scale comment spam wave to lure users and improve the Google rankings of phony Internet pharmacies.
The tactic largely boiled down to using automated bots that deluged popular healthcare forums with comments that included links to knockoff online drug stores. As a result, thousands of users who clicked those links landed on pages that touted low-quality or outright dangerous medications.
One more way the spammers could benefit from this scheme was that their fake pharma sites earned extra domain authority when referenced from resources frequented by numerous people. In some cases, this allowed the junk marketplaces to reach the first page of Google.
Abuse of Google Maps might play into criminals’ hands
Imperfections of the Google Maps service can make a cybercriminal’s day, too. By manipulating its algorithms, wrongdoers may misguide users or even get paid for disrupting someone’s business.
One way to fool Google Maps was demonstrated by a German researcher named Simon Weckert in February 2020. He was able to emulate traffic jams in the streets of Berlin by walking around with a handcart that contained 99 second-hand smartphones in it. The geolocation system interpreted this multitude of mobile devices within a small area as a sign of high traffic congestion and displayed the appropriate alert to users.
In another proof of concept (POC), a team of researchers showed how an attacker could replace a real map with a fake one. All it takes is spoofing GPS signals via a set of devices attached to a target vehicle. The required gear (worth about $200) includes a tiny Raspberry PI computer, a radio transceiver, an antenna, and a portable power supply. Once the navigation system starts transmitting wrong coordinates, the malefactor aligns them with a “ghost map” to make the victim drive to another destination.
Google Maps exploitation can go beyond POCs. Back in 2012, a popular restaurant in Virginia suffered an abrupt decrease in the number of visitors. Several months later, the owner noticed that his eatery’s working hours on Google Places (a business directory service later renamed to Google My Business) were badly misrepresented. The page said the restaurant was closed on weekends, the periods when it normally generated the most profit.
A plausible theory is that a business rival took advantage of the crowdsourced nature of Google Places to create a fake profile or modify important details and thereby discourage people from going to the eatery.
One way or another, the once-successful restaurant did not survive the decline. Its owner filed a lawsuit against Google, arguing that flaws in its services allowed a third party to skew his business listings. However, this pursuit of justice turned out futile.
Summary
When it comes to cybercrime schemes zeroing in on Google’s services, black hat SEO is the name of the game. No matter how intelligently the search engine pinpoints most of these frauds, some of them fly under the radar. The silver lining is that Google is constantly enhancing its defenses against such abuse. However, it is usually one or several steps behind those crafty folks unwilling to play by the rules.
