Google’s trust of Democrats.org, the Democrat National Party’s official website, is being abused by cybercrooks to spread spam and malware via search results. Criminals are able to achieve high ranking for their sites in the search results simply by setting up a blog at the DNC website and passing on link juice from there.
The past few weeks have seen a spate of Google-trusted website abuse. As companies and organization embrace the popularity of Web 2.0 standards like user-generated content, malicious users have returned that openness via a method called parasite hosting, a tactic for piggybacking on the reputation of a user-content enabled website to pass algorithmic trust to other sites.
Twitter and Facebook have been huge targets recently, and because Google trusts these sites and ranks them highly, Google’s search results become a malware minefield. Crooks monitor popular, buzzy search terms, as displayed on Google Trends, to know which keywords to target.
During his campaign, President Barack Obama was revolutionary in the way he utilized the Internet, search engine optimization, and Web 2.0 for fundraising and spreading his message of openness and transparency. That same openness appears to have led to the current abuse of the DNC’s site. An authoritative link from barackobama.com helps boost the DNC search engine trust as well.
Democrats.org allows people to set up their own blogs, which are hosted at the website and featured on the homepage. Under the partybuilder feature, it doesn’t take long to notice that under the “Latest Posts” heading, a pair of posts written by “Unknown User,” each with nonsensical letter-sequence titles like “rdthsrthsth” and “vsdgsdfsdgsdg.”
Sure enough, clicking on those titles takes a visitor to keyword link spam leading to presumably nasty places filled with some sort of malware or phishing attempts. The keywords linked are currently popular search terms associated with news events and American Idol contestants and songs, for examples.
Searching for terms like “American Idol March 10” and “Jonas Brothers world tour dates” (keywords targeted on the DNC website) and several others brings back as the second Google search result a website listed as dana.reticular.info and redirects to a Chinese hosted website showing a scareware popup. Scareware is a bogus warning that a computer is infected with a virus. The site offers to scan a user’s computer—where it will certainly find infection—and then offers for a fee to clean it up. Instead it installs a Trojan virus.
McAfee’s Avert Labs says the community blogs feature at Democrats.org has been used for many weeks as a host for blog spam filled with poisonous links. Because Google trusts the website, hackers familiar with SEO use that trust to dupe searchers.
“Web 2.0 can be a great thing, empowering users to contribute content for the betterment of the community,” said Craig Schmugar, threat researcher for Avert Labs. “But a bad apple (or thousands) doesn’t just hurt the community — it can hurt a significant portion of the Web itself.”
A blog on the DNC’s site is set up easily but not automatically. The site requires a valid email address and a confirmation code, which suggests these malicious posts are set up manually. The DNC did not return a request for comment about how closely they monitor blog posts, what type of spam filters are in place, or if they plan to use nofollow links in the future. “Nofollow’ is an HTML command that prevents a link from passing “link juice” capable of influencing a search engine’s trust rank.
A quick look at the Republican National Committee’s website reveals GOP members have access to a similar service, at least in theory, since it doesn’t appear to function properly and this reporter was unable to set up a profile to check.
