author photo
By David Balaban
Tue | Feb 7, 2023 | 11:30 AM PST

Scammers and malware authors know a good opportunity when they see one, especially if it's a vulnerability in a popular web service. Any area of the Google ecosystem fits the mold of such a juicy target. Its search algorithms and security mechanisms boast unmatched sophistication, but when a well-motivated adversary steps in, they aren't effective enough to stop all forms of exploitation in their tracks.

Although the tech giant's engineers are regularly uncovering and foiling black hat SEO stratagems, malicious actors lay the groundwork for smarter schemes that make the pendulum swing back in their favor. The cybercrime campaigns below demonstrate how crooks can get a leg up in this cat-and-mouse game.

Google Docs comments functionality mishandled for phishing

In early 2022, analysts at email security firm Avanan spread the word about a new unorthodox technique for delivering toxic links to numerous users. It takes advantage of the commenting feature in Google Docs, a truly indispensable collaboration service in present-day business environments. Criminals have come up with a ridiculously simple yet effective way to pump out phishing messages that fly under the radar.

Here is how it works: an attacker creates a new Google Doc, adds a comment with an unsafe hyperlink in it, and specifies a recipient using the "@" attribute. As a result, the target receives an email notification stating that someone has mentioned them in a comment. Since this message is sent by Google, email filters don't label it as suspicious and it reaches the intended person without issues.

Another pitfall is that the perpetrator's email address isn't displayed in the notification. The only thing revealed is the name, which can be set to an arbitrary value for more convincing impersonation. When an unsuspecting target clicks the embedded link, they are redirected to a credential phishing page that requests sensitive data under false pretenses.

Adult links cloaked as government sites

In a campaign that hit the headlines in January 2023, threat actors capitalized on a web application security flaw called Open Redirect to drive traffic to X-rated resources. This vulnerability (also known as Unvalidated Redirects and Forwards) allowed them to poison Google search results with entries that looked like the official site for the U.K. Government Environment Agency but actually led to NSFW materials, including OnlyFans replicas.

Black hats used an Open Redirect gap on the Agency's web page to spawn multiple shadowy URLs in a format similar to this: hxxps:// hxxp:// The only string visible to regular users in search results was the * one, but instead of opening that trusted page, web browsers would resolve a "naughty" domain. It remains opaque how exactly these links passed the search engine's checks, but they ended up high enough in the rankings to reach large audiences.

Turning Google Alerts into a vessel for harmful code

For those uninitiated, Google Alerts is a service that sends emails to subscribed users about fresh content they've indicated an interest in receiving updates about. In an ideal world, it brings quality articles to your fingertips based on previously specified criteria of what's relevant to you. Since last year, malware gangs have been busy polluting this territory with phony stories to spread dangerous apps.

To ensnare users, bad actors publish sketchy news with well thought out structures of tags and keywords that correspond to hot topics. When indexed, these materials end up in the Google Alerts mailing list and reach the inboxes of the target audience.

However, instead of opening the expected posts, these links lead to pages that push fake giveaways or a booby-trapped Flash Player update. The latter is strange because this Adobe product is no longer officially supported, yet a lot of users take the bait, only to get infected with an info-stealing Trojan or a coin miner.

Some of the resulting pages display a prompt that asks visitors to allow web push notifications; otherwise, the main content isn't accessible. By granting this permission, victims unwittingly give the green light to an influx of pop-up ads that appear outside the browser and include links disseminating rogue extensions or promoting tech support scams.

High-profile sites repurposed to promote digital crud

When it comes to easy ways of improving a website's organic search positions, dodgy link-building is no longer the silver bullet that it used to be. Google is growingly capable of pinpointing such activity, and therefore criminals have to come up with other workarounds to riddle the top search results with stuff that doesn't belong there.

One notorious scheme like this piggybacked on vulnerabilities in popular CMS platforms, such as WordPress and Drupal, to hack websites used by big-name nonprofits, U.S. government entities, and colleges. In this campaign, riff-raff gained access to the official sites for Colorado, Minnesota, the National Institutes of Health, UNESCO, Arizona State University, and Maryland University, to name a few.

Then, the cybercriminals published tutorials that supposedly provided tools and techniques to take over someone's social network account—something along the lines of "how to hack a Facebook account in two minutes." Since these junk articles were posted on reputable resources, their search rankings got a boost. This successful, albeit illicit, SEO generated numerous page views.

Under the guise of account hacking tools, the malefactors were mostly distributing a spyware program known as Emotet. Some iterations of this fraud would redirect users to a phishing page that asked visitors to provide personal data to turn on the password cracking functionality.

Google Analytics abused to quietly dump stolen credit card info

It is common knowledge that e-commerce sites are in the crosshairs of hackers who try to intercept buyers' credit card details. This covert exploitation requires that crooks have backdoor access to a resource, and if stars align for them this way, they install and run malicious code in the back-end system that processes online payment transactions. However, exfiltration of the stolen data to servers under criminals' control is challenging because it is likely to raise red flags.

Card skimmers found a clever way around website security policies to hide their misdemeanor in plain sight. Instead of transferring information to external servers, they send it to their Google Analytics accounts that are unconditionally trusted by endpoint security tools. To do it, culprits inject tracking IDs into pages, much like webmasters configure the service to monitor site traffic. However, they also surreptitiously insert scripts that instruct the back-end to send out the pilfered information rather than SEO stats. This facilitates a frictionless leak of the illegally collected records.

Coronavirus fears at the core of black hat SEO tactics

As evil as it sounds, cybercrooks don't mind using the pandemic theme to orchestrate link-building subterfuge. Comment spam is a prime example of this abuse. In a massive campaign that broke out at the dawn of the healthcare crisis, perpetrators used bots to inundate popular medical forums with comments that contained links leading to fake online pharmacies.

This ruse provided a double advantage to its instigators. First off, it lured numerous users into following the embedded links that led to internet marketplaces pushing all sorts of forbidden substances or counterfeit drugs. Secondly, this tactic caused the SEO "weight" of the dodgy pharma webpages to accumulate, which took some of them to the top of Google's search results.

Google Maps quirks giving the security community a heads up

Some peculiarities of Google Maps implementation can become pillars of cybercrime operations when mishandled by seasoned crooks. The consequences may range from misleading people to ruining successful businesses.

If you think this service uses immaculate algorithms, here is some food for thought. Three years ago, a German researcher managed to simulate road traffic congestion in several streets of Berlin. All it took was a casual amble with a handcart that had 99 used phones in it. Google Maps flagged this collection of mobile devices in the same place as an indicator of a traffic jam and showed relevant notifications.

A more elaborate way to make the geolocation platform go haywire is to pull a so-called ghost map trick. It allows a hacker to substitute a genuine map with a bogus counterpart by falsifying GPS signals through special equipment affixed to a victim's car. The set of necessary devices spans a single-board Raspberry PI computer, a HackRF One transceiver, an antenna, and a battery. As soon as the kit begins emitting rogue coordinates, the attacker can remotely bind them with a fake map so that the target drives in the wrong direction. 

Both of the above examples are proofs of concept. The scary thing is that the misuse of Google Maps can go well beyond research. A restaurant in Virginia found itself on the receiving end of real-life exploitation years ago. At some point, the number of people visiting the place took a sudden nosedive for seemingly no reason.

Several months later, its owner accidentally noticed that the restaurant's working hours on the Google Places business listing system (later rebranded as Google My Business) were wrong. The page misguided people into thinking that the eatery was closed on weekends.

The most likely reason for this inconsistency is that a competitor manipulated Google Places—which was a crowdsourced platform—to change the critical information or add a dummy profile and thereby prevent customers from visiting the restaurant. In the aftermath of someone's foul play, the owner had to close his business. He did try to seek justice by filing a lawsuit against Google over its weak anti-fraud practices, but this move didn't pan out.

Going forward

The dark side of SEO is constantly manifesting itself in the Google exploitation arena. This proves that even top-notch defenses backed by huge investments and human resources don't suffice to fend off abuse. The only good news is that the company quickly pulls the plug on new attacks as they slip through the cracks. Hopefully, its security philosophy will continue to shift toward proactive measures rather than focus on responding to bad guys' dirty tricks.