Sophos Uncovers Mass Link Spam In Google’s Search Results Via Cloaked PDFs

Hackers use PDF documents to inject links and keywords and -- through cloaking techniques -- scam searchers to go to other web sites.

on July 9, 2015 at 3:50 pm | Reading time: 2 minutes
Chat with SearchBot

spam-confusion-ss-1920

Sophos, an IT security company, has uncovered a case of Google search spam involving “hundreds of thousands” of cloaked PDF documents with links that redirect human users to suspicious websites. It’s similar to the long-running type of hacking/spamming that involves placing HTML-based web pages on hacked websites, but in this case involves placing PDFs. The technique may not be necessarily new, but Sophos documented cases where the PDF content is ranking highly in Google’s search results.

The company informed Google about this technique, but decided to publish their findings after not hearing back from Google. We also reached out to Google early this morning and have not heard back.

Sophos said they think this technique works because “Google implicitly trusts PDFs more than HTML.” Honestly, we are not so sure how true that statement is. Nevertheless, the process the hackers/spammers used was to hack into web sites, plant these PDFs or modify the PDFs with links, while also cloaking the documents so the normal user would be redirected to a spam site.

What Sophos found inside those PDFs was “a large amount of similar documents on a number of legitimate, but unrelated and likely compromised, websites. In addition to the heavy use of specific keywords, the PDFs include links to documents planted on other websites, forming a so-called back link wheel.”

Then through cloaking, any human web user that tried to click on the PDF would be taken to another site, not the PDF.

Sophos shared an example of a search result with the spam:

poisoned-search-google

The URLs blocked out contained these cloaked PDF documents. But when the user clicked to see the PDF, they would go to a web site, such as this one:

binarytrade1

What Google saw was not the web site, but the PDF with the links. Here is a picture of what GoogleBot saw, since Google was being served the PDF while the user was being redirected to the web site above:

pdf-cached

Sophos also documented the redirect chain the web user went through, showing how the spammers added on affiliate links to monetize the sale:

redirection-chain1

Add Search Engine Land to your Google News feed.    Google News

Related stories

New on Search Engine Land

About the author

Barry Schwartz
Staff
Barry Schwartz is a Contributing Editor to Search Engine Land and a member of the programming team for SMX events. He owns RustyBrick, a NY based web consulting firm. He also runs Search Engine Roundtable, a popular search blog on very advanced SEM topics. Barry can be followed on Twitter here.

Related topics

Google SEOSEO

Get the must-read newsletter for search marketers.

Topics

Our events

About

Follow us

© 2024 Third Door Media, Inc. All rights reserved.

Third Door Media, Inc. is a publisher and marketing solutions provider incorporated in Delaware, USA, with an address 88 Schoolhouse Road, PO Box 3103, Edgartown, MA 02539. Third Door Media operates business-to-business media properties and produces events. It is the publisher of Search Engine Land the leading Search Engine Optimization digital publication.