Blackhat SEO even targets researchers

HTML source of poisoned page

In the past week I’ve garnered a lot of press attention from my ongoing research into the Windows shortcut vulnerability. Apparently this has brought my name to the attention of the SEO poisoners who continually target Google.

Poisoned Google search results

There were more results than shown here, so I did some poking around to see what they were. The most common poisoning and the one shown here leads to some hacked websites that are chock full of tasty keywords for search engine manipulation. None of the sites I investigated had any malicious content themselves; they appear to be using hacked blogs and sites to enhance the search rank of someone who was foolish enough to hire them to increase their Google PageRank.

Another of the poisoned pages redirected to a fake Google results page.

Poisoned Google result

Following the link displayed takes you through a series of redirects, all of which have some sort of affiliate ID number in the URL, landing you eventually at fake Canadian pharmacy websites. The Canadian pharmacy sites are on a rotation so you get a different one each time you click the link.

HTML source of poisoned page

The attack must be related to insecure versions of WordPress, since the source code shows that the pages were created using WordPress/MU. As you can see, my name is the title of this particular page.

The cat-and-mouse game between the con artists and Google continues. Throughout the day I have watched many of the poisoned results disappear as Google catches on to their techniques and puts them out of commission. Simply because a site is in a Google search result does not make it legitimate. Think before you click and take advantage of the summaries Google provides to determine whether something smells a bit phishy.