Search engine shenanigans: Malwarebytes mentions aren't what they seem

Search engine shenanigans: Malwarebytes mentions aren’t what they seem

Thing might be a touch quiet at the moment as we ease into 2018, but that doesn’t mean dubious antics and dodgy dealings aren’t still making waves online. As a matter of fact, should you go searching for some of our researchers, their blog posts, or just a couple of notable quotables from news sources, you may find yourself redirected to all manner of websites you’d really rather avoid.

Here’s how it usually works: Scammers take some keywords, or maybe a few stand out sentences, or even just bits of a blog. They then insert the text into the sourcecode of a website. From there, they either use that as the final destination, or use the word-stuffed HTML as a landing page which redirects to the end website. That site could be harmless, or spam, or something filled with attacks on your computer.

Search engine poisoning used to be quite a problem whenever a major news incident occurred, and you’d regularly find pages of malware, hijacks, and fake antivirus cluttering up genuine search entries.

Search engines worked on their algorithms, and these days it’s surprisingly tricky to wind up on a fake batch of bogus results related to a breaking news story. Should a scammer avoid breaking new and focus on more general search queries, however, they may be able to dodge detection and seed the results they need. Case in point:

That last one, for example, leads to a redirect landing page. Here’s the HTML snippet in question:

source code

Click to enlarge

That site bounces visitors off to what appears to be a page masquerading as a forum. It’s a weird forum, given that every link on page simply leads to more advert URLs and a variety of sign ups.

forum?

Click to enlarge

Note that what the program asks for will change depending on how you arrive on the page, and also note that they claim you need to offer up credit card details to prove you’re not a bot.

all change

Click to enlarge

Here’s one of the final destinations we came across from the “forum” link:

movies

Click to enlarge

Other final destinations we’ve seen from some of the URLs floating around in search results include lots of “pay for social media prowess” type efforts:

Likes

Click to enlarge

We’ve also seen a few pornography redirects where my own name is concerned. For example:

dating ad

Click to enlarge

There’s also spamblogs, partly in English, partly in Russian, which contain a mixture of ripped security articles and random porn photographs.

Elsewhere, we even have memes getting in on the action:

There’s nothing wrong with doing a bit of extra digging on content you may have enjoyed throughout the previous year, but please keep an eye on those URLs popping up in recent search results. If the sample text looks a bit like jibberish, or the website URL contains a .php or just looks a little random, you may wish to stick to either our own URL or that of a reputable news source you recognise. While we haven’t seen anything malicious in the sense of drive-by installs or other harmful activity, there’s a whole raft of rotating ad pages on offer here and no real way to know where you’re going to end up before clicking.

Here’s to a safe and secure 2018!

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.