Sophos Uncovers Mass Link Spam In Google’s Search Results Via Cloaked PDFs
Hackers use PDF documents to inject links and keywords and -- through cloaking techniques -- scam searchers to go to other web sites.
Sophos, an IT security company, has uncovered a case of Google search spam involving “hundreds of thousands” of cloaked PDF documents with links that redirect human users to suspicious websites. It’s similar to the long-running type of hacking/spamming that involves placing HTML-based web pages on hacked websites, but in this case involves placing PDFs. The technique may not be necessarily new, but Sophos documented cases where the PDF content is ranking highly in Google’s search results.
The company informed Google about this technique, but decided to publish their findings after not hearing back from Google. We also reached out to Google early this morning and have not heard back.
Sophos said they think this technique works because “Google implicitly trusts PDFs more than HTML.” Honestly, we are not so sure how true that statement is. Nevertheless, the process the hackers/spammers used was to hack into web sites, plant these PDFs or modify the PDFs with links, while also cloaking the documents so the normal user would be redirected to a spam site.
What Sophos found inside those PDFs was “a large amount of similar documents on a number of legitimate, but unrelated and likely compromised, websites. In addition to the heavy use of specific keywords, the PDFs include links to documents planted on other websites, forming a so-called back link wheel.”
Then through cloaking, any human web user that tried to click on the PDF would be taken to another site, not the PDF.
Sophos shared an example of a search result with the spam:
The URLs blocked out contained these cloaked PDF documents. But when the user clicked to see the PDF, they would go to a web site, such as this one:
What Google saw was not the web site, but the PDF with the links. Here is a picture of what GoogleBot saw, since Google was being served the PDF while the user was being redirected to the web site above:
Sophos also documented the redirect chain the web user went through, showing how the spammers added on affiliate links to monetize the sale: