Sophos Discovers Cloaking That Can Bypass Google Search Algorithms

Security firm Sophos has discovered a potentially dangerous new trick for getting around the algorithm protections in the Google search engine that could allow hackers to expose search users that click on PDF links to a number of security threats.

3 Min Read
Sophos Discovers Cloaking That Can Bypass Google Search Algorithms

Security firm Sophos has discovered a potentially dangerous new trick for getting around the algorithm protections in the Google search engine that could allow hackers to expose search users that click on PDF links to a number of security threats.

The firm outlined the threat—a cloaking technique—in a blog post last week. Cloaking is an SEO technique in which the content presented to the search engine spider is different from what’s presented to the user's browser. Google (GOOG) has protections in place to secure users against these types of threats; however, it appears at least one hacking group has found a way to circumvent them.

“A cloaked page would serve the Googlebot with content that is stuffed with keywords to suggest that your site is relevant to specific search terms,” Sophos researcher Dmitry Samosseiko wrote in the post. This technique has been used often in the past in malware attacks; for example, users searching for 'Justin Beiber' and then following a link in search results could lead to a malicious website rather than the site presented in the link," he wrote. Users would see a regular page, however, so no one would even realize there was a problem to report.

The  new threat—discovered by a Sophos Antivirus detection created by Sophos Labs Jason Zhang based on a suspicious-looking PDF file—is specific to links to PDF documents.

The way it works is to poison Google search results using “PDF cloaking” to get around the protections the company has in place, exposing users to scams, malware, or other threats by clicking on what appears to be a highly-ranked PDF document that comes up in a search.

“When doing a Google search for keywords found inside those PDFs we found a large amount of similar documents on a number of legitimate, but unrelated and likely compromised, websites,” Samosseiko wrote. “In addition to the heavy use of specific keywords, the PDFs include links to documents planted on other websites, forming a so-called ‘back link wheel.’”

Apparently, this seems to have been enough to trick Google into giving those documents an artificially high search ranking, he said.

Hackers apparently are targeting PDFs because Google’s cloaking-detection algorithms, which aim to spot Web pages that have been artificially and unrealistically loaded with keywords, aren’t as strict when it comes to documents, Samosseiko wrote.

“It seems that Google implicitly trusts PDFs more than HTML, in the same way that it trusts links on .edu and .gov sites more than those on commercial web pages,” he said.

While Sophos suspects the technique could be used for the distribution of malware and other nefarious purposes, researchers only found it in a marketing campaign to promote so-called “binary-trading” broker services, the company said.

Sophos has provided detailed information about the threat to Google and informed the company it would publish its findings. Google responded that it received the information but did not respond further, according to Sophos.

“We trust that the necessary measures are being taken to counter these search result poisoning attempts,” Somosseiko wrote.

Read more about:

AgentsMSPsVARs/SIs

About the Author

Elizabeth Montalbano

Elizabeth Montalbano is a freelance writer who has written about technology and culture for more than 15 years. She has lived and worked as a professional journalist in Phoenix, San Francisco, and New York City. In her free time she enjoys surfing, traveling, music, yoga, and cooking. She currently resides in a small village on the southwest coast of Portugal.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like