• Hackers Use Google Trends to Poison Searches

    Hackers are using a relatively new technique to lure users into visiting malicious websites. SEO poisoning is a method by which hackers can get a malicious link or URL, indexed by a search engine. When users search for terms that match the context of the malicious link, unsuspecting web surfers are often served malicious links which can divert them to harmful websites that commit all kinds of nasty deeds, ranging from ID theft to installing malware.

    Overview

    SEO poisoning is not new, but it is definitely a growing trend. It is becoming a vector of choice for hackers. The procedure to commit this crime is actually quite similar to the method of code-injection. First, find a vulnerability in the website or hosting infrastructure which will allow a hacker to upload malicious code or modify the behavior of the web application. Once this is achieved a hacker can insert URLs into a web page which will be indexed by search engines such as Google.

    Below, we provide a screen shot to illustrate that hackers are reverse-engineering popular keywords from Google search trends to exploit unsuspecting users. In this particular example, the search query is extracted from Google Trends andĀ results clearly show URLs which redirect users to fake anti-virus websites. Unfortunately, few of these URLs are even blacklisted by Google and hence users do not even have the luxury of making a decision to visit an unsafe website or not.

    Experiment Goal

    The aim of this experiment is to identify URLs which are using SEO poisoning.

    Methodology

    Search results were collected from Google Trends. Once the search queries were collected, searches were performed via Google and the firstĀ  10 results were collected for each search query.

    Each search result was analyzed to find whether the URLs displayed in the search results contained the complete search query in the exact same order. Also, it was determined whether the structure of the URL matched patterns of SEO poisoning. Furthermore, the IP associated with the URL was looked up on Spamcop to verify if the IP had been used for sending spam or had participated in zombie networks. Finally, using a geo-location API from IPinfo DB, the country of origin for the URL was determined. The test was conducted on March 23, 2010. Google trend results for the period of January 1, 2010 to March 22, 2010 were used for searches.

    Highlights

    • 59.5% of search results returned by Google had URLs which contained the entire search string in the same exact order.
    • 26.07% of search results returned by Google had URLs which matched SEO poisoning patterns.
    • 14.1% of search results returned by Google had URLs which matched SEO poisoning patterns and contained the entire search string in the same exact order.
    • Only one IP seemed to be involved in spam related activity.
    • Some of the most popular locations for websites returned as search results are: US, Canada, Netherlands, Germany, UK, France, Czech Republic, Australia and Singapore.

    Note: 10,559 search results were analyzed.

    Percentage of sites from different countries affected by SEO poisoning.

    Percentage of sites from different countries affected by SEO poisoning.

    Countries which seem to have the highest number of SEO poisoned links indexed by Google:

    • 86.1% of URLs from Singapore based sites.
    • 74% of URLs from Netherlands based sites.
    • 30.5% of URLs from UK based sites.
    • 25.1% of URLs from Germany based sites.
    • 12.6% of URLs from Canada based sites.
    • 12.42% of URLs from US based sites.
    Fluctuation in the number of SEO poisoned results.

    Fluctuation in the number of SEO poisoned results.

    Note the fluctuations in the number of search results which are SEO poisoned.

    Conclusion

    It is clear that even the world’s most popular search engine company is not secure from SEO poisoning. It is not for the lack of trying though, but instead of the myriad number of ways hackers can break into a website and take advantage of it. We have seen that large numbers of search results match SEO poisoning patterns. Furthermore, it is clear that hackers are injecting malicious URLs into compromised websites to latch onto Google trends.

      • [...] on our previous post which described SEO poisoning, hackers are using this relatively new technique to lure users into [...]

        Posted by SEO poisoning: Hijacking Miss Universe 2010 – stopthehacker.com – Jaal, LLC on August 25th

      • [...] amount of queries and lack of competition. For example StopTheHacker.com has a good write up on spammers poisoning Google trends topics and Symantec are reporting a swathe of World Cup email spam. Simliar searches on Google, such as [...]

        Posted by Spam in Poisoned World Cup Results | Ignite Research on February 9th

      • thank very much for nice article

        Posted by Aden on March 2nd

      • Is there any way to stop sep?

        Posted by Techalyst on June 17th