Scammers bypass Google filters with PDF cloaking

Scammers have long used cloaking as a technique to drive up search engine rankings, stuffing webpages full of keywords and links that make them attractive to Google, but not to actual readers.

Google wised up and those tactics became ineffective. But, according to a new report from SophosLabs, there is one twist on cloaking that still works, and that is to stuff those keywords and links into PDF documents instead.

"It is our supposition that Google has not protected PDFs from this type of search engine poisoning the same way it has with HTML files," said Maxim Weinstein, security adviser at Sophos.

According to Weinstein, SophosLabs noticed the PDF cloaking a few days ago, and hundreds of thousands of fake PDF documents have been appearing daily since then.

Each is stuffed with random keywords, as well as links to the other pages in the campaign.

"We suspect that there's some sort of computer generation going on," Weinstein said.

The combination of keywords and plenty of inbound links makes the documents look more relevant and useful than they actually are.

"The concept of poisoning search results by having web pages link to each other and include a bunch of keywords has been around for a while," Weinstein said. 'What's new about this is the fake PDFs."

Users searching for the phrase "austria currency trading," for example, get seven responses, as of last night -- six of which are the fake PDFs. Once users click on one of these bogus search engine links, they were redirected to a couple of different "get rich quick" websites.

However, Weinstein warned that, in the past, these kinds of poisoned search results have also been used to take unsuspecting users to phishing sites or drive-by malware download pages.

So, he said, he would not be able to say with any certainty where the links would lead at any particular moment in time.

"They change," he said. "They could redirect them to a legitimate website or to a scam website, or a site that was trying to phish their personal data or deliver malware to them."

The documents are also showing up on legitimate, but unrelated and likely compromised, websites.

The links in the documents create what SophosLabs described as a "back link wheel."

SophosLabs has informed Google about the loophole, but, as of yesterday afternoon, the fake PDF documents were still showing up high in results.


Maria Korolov

Zur Startseite