PandaLabs has identified over a million spam links used to target Google searchers looking for information about automotive parts from Ford and Nissan especially. Panda calls it “a major Blackhat SEO attack” designed to dupe searchers into downloading spyware or purchasing phony security software.
Searching for the keyphrase “Diagram Of A 1998 Nissan Pathfinder Blower Motor,” for example leads to a Google results page packed with spammy sites. A savvy user can identify them by their unusual URLs starting with an arbitrary number, followed by nonsensical combinations of letters and resolving to Polish domains.
These types of URLs went on for ten pages before I stopped looking—ten pages of weird Polish results for an English query, all mentioning different Nissan Pathfinder parts diagrams. This is a serious error in Google relevance: wrong language, wrong country, wrong parts (bringing back a door handle diagram isn’t the intent of the searcher in this instance), wrong sites, all of them likely created very recently.
Clicking on any of the links is likely to lead to a webpage prompting the searcher to download a codec that is actually malware designed to present bogus security warnings. The malicious program then prompts the user to spend as much as $80 to download the security program to get rid of the viruses. This type of malware is called “scareware” or “rogueware” and has become so popular among the underground lately probably because it works.
Sean-Paul Correll, a security analyst for PandaLabs provides a partial list of the keywords and phrases targeted in this highly organized attack and provides a video to illustrate how it works. Though many of the examples target Nissan, Panda says over a million target Ford alone.
Targeted Blackhat SEO Attack against Ford Motor Co. from Panda Security on Vimeo.
“This case is especially interesting because it’s one of the few SEO attacks that we have seen targeting a single, specific brand,” said Correll.
How are cybercrooks accomplishing such search engine dominance? Well, there are a number of blackhat SEO tactics, and it would be hard to identify exactly which ones. But one obvious tactic is fooling Google’s trust algorithm by slipping in links to target sites on trusted sites. In a Web 2.0 era defined by reader commentary and user-generated content, this becomes especially easy to accomplish.
Running a quick link check of some of the results Google was returning show spammers have made use of a comments section on Beerinator.com, a North Carolina-based beer enthusiast community, and also of the comments section on Logrithmic.com, a music blog. Ever seen a bunch of nonsensical text or irrelevant “nice site” comments with a link?
These appear to be the main tactics. The spammers also take advantage of forums—one link showed up on this South African paramedics forum, the commentary section of which is a veritable spam bonanza. Beyond that, all these strange Polish sites seem to link to each other.
Correll said Google could (and presumably does) monitor these attacks in house, but the company also has the option of outsourcing security to other companies to combat them. “They could also try to modify their algorithm, but that is not really a viable option given the expense and the high likelihood of technical issues (i.e. negative impact on their core search IP and capabilities).”
Google did not return request for comment about what Google is doing about a spate of similar attacks or whether recent tweaks to their algorithm have allowed it.
