SophosLabs researchers recently uncovered a hack being used by unscrupulous web marketers to trick Google’s page ranking system into giving them top billing, despite Google’s ongoing efforts to thwart this sort of search poisoning.
Over on the Sophos Blog, technical expert Dmitry Samosseiko explains how the scammers did it, and how SophosLabs spotted what they were up to.
Here on Naked Security, we decided to take a look at why search engine poisoning matters, and what we can do as a community if we see that something is not what it seems.
The power of search
Put your hand up (literally, if you like) if you have ever done either or both of these:
- Set out to research a topic or a product thoroughly. Used your favourite search engine. Then gone no further than the first couple of results on the very first page. Job done.
- Used a search engine to gauge whether a business or website has been around a while and built up trust in that time. Seen it near the top of the first page of results. Job done.
If you have, you aren’t alone, and that’s why doing well in search results is so important for a modern organisation.
And that, in turn, is why Search Engine Optimisation (SEO) exists: you make every effort to write your web pages so they are clear and relevant, and you do your best to build up a reputation that makes already-trusted sites want to link to you.
When others link to you, that acts as an implicit recommendation, and search engines let you bask in some of the reflected glory of the sites that have linked to you.
Poisoning the chalice
Of course, getting high up in the search rankings gives great results for cybercrooks too, and they don’t play by the rules.
Treachery by cybercrooks gives search companies a double whammy: the search engines end up not only giving away artificially high rankings for free, but also conferring trust even on web pages that put users in harm’s way.
As a result, the search companies have been in a constant battle with the Bad Guys to stamp out tricks that poison search rankings.
One search poisoning technique involves being two-faced: looking honest and reputable when a search engine visits in the course of indexing the web, yet serving up malevolent content when a user clicks through.
This trick is called cloaking, and it’s been going on for years.
As you can imagine, the search engines have become adept at detecting when websites feed back content that doesn’t look right.
For example, they can compare what happens when their own search engine software (known as a spider or a crawler) comes calling, and what shows up when a regular browser visits the site.
Servers often tweak the pages they present depending on which browser you’re using, so some variation between visits is to be expected.
But if a browser sees a story about apples while the crawler is being sold on oranges, then something fishy is probably going on.
Additionally, a search engine can analyse the pages that its crawler finds in order to estimate how realistic they look.
Google’s crawler is known – officially, as you see in the HTTP header example above – as the Googlebot, and it has been taught to be rightly suspicious of web pages that seem to “try too hard” because they’ve been artificially packed with fraudulent keywords.
Scamming the Googlebot
But even Google doesn’t get it right all the time.
Indeed, SophosLabs recently spotted dodgy web marketers using a surprisingly simple trick to persuade the usually-sceptical Googlebot to accept bogus content.
The trick inflated the reputation of dubious pages, and sent them dishonestly scooting up the search rankings.
Our researchers immediately informed Google so that the problem could be fixed, but the story makes for fascinating reading.
Dmitry Samosseiko of SophosLabs has published a highly readable report about what happened; we’re not going to spoil the fun by repeating it here, so please head over to our Sophos Blog for the details.
What to do?
If you see something suspicious, such as web pages that don’t match what you searched for, or emails that link where you don’t expect, say something!
You can report suspicious emails, web pages and files to Sophos:
- By email, but please read our instructions so we receive the content in a form we can use.
- Via our web submission system.
And, remember, don’t treat a few top-ranking search results as a replacement for due diligence when you’re trying to learn more about a company or a product – especially a software product that you’re thinking of downloading.
Search engines can have their moments of gullibility, too!