Google Trends, SEO Create Hacker Perfect Storm

By: WebProNews Staff - February 28, 2009

It used to be one was at most risk of getting a computer virus via spam or frequenting bad Internet neighborhoods (places one probably shouldn’t be hanging out in the first place, picking up just any old download they come across). These days malware pushers have come out in the open where the masses collect, and places like Google, Facebook, and Twitter are starting to resemble the Time Square of old—with peril and vice all around.

Today’s aggressive and spooky abuse of trusted giants reveals just how sophisticated and manipulative these guys have become. By following Google Trends, and with some sharp SEO skills to take advantage of Google’s famed real-time indexing, Scammers are directly targeting Google’s search results, trusted by as many as 70 percent of Internet searchers.

McAfee researcher Craig Schmugar points to the recent Gmail outage as an example. When that happened, many were searching for the cause or solution to the problem, and Schumagar shows how a malicious link copying verbatim the top news source text as a snippet, shows up fourth in the search rankings, following highly recognizable and trusted sources like Google News,, and Mashable.

Gmail Down

A subsequent link query found the domain linked to several other trending topics: Quiznos (a free sub giveaway promotion), Sharon Stone at the Oscars, Extreme Makeover foreclosure, Nicky Hilton, IHOP all you can eat pancakes promotion. All of them obviously target what the average searcher may be seeking.

That same malicious link—which led to a scareware prompt only if arriving via a search engine (gibberish if you just enter it into a browser, thereby masking the intent some)—was also found directly on the Google Trends page for Ash Wednesday, which was yesterday.

“I do not recall any previous attacks abusing Google Trends this aggressively,” said Schmugar. “The malicious links are being distributed across numerous sites, targeting many high-profile search terms, and the poisoned links are regularly appearing high up on Google results pages.”

Because of this, Schmugar doubts there is a link between the “Error Check System” message many Facebook users received. Facebook has been criticized for allowing this because the company doesn’t verify or approve third party applications. Allowing the app allowed friends to be spammed with the same message, and searching the phrase led them to similar scareware index-related peril.

However, this new aggressive targeting of popular search trends, and Facebook’s odd spam messaging, occur simultaneously with other social/Google-related incidents. This week, Google Talk users were bamboozled by an invitation to click a shortened (read: masked) URL to a dangerous supposed video site. 

To reach email inboxes more frequently, spammers are masking links typically ousted by filters by using Google search links to the target site instead of the URL itself. Twitterers also fell prey to URL shortening “Rickrolls” to dangerous sites recently, submitted by people they follow. Why are they following scammer strangers? Because some use scripts to follow those who follow them automatically to build up their follow lists. In addition, Twitter doesn’t verify email addresses, making it easy for spammers to sign up.

Targeted trusted social networks and social applications may have two purposes. One is obviously to abuse the trust users themselves place in them. The other may have to do with SEO. Everybody and their brother might create content based upon explosive search trends, but their not reaching the top of the search results that quickly. Scammers are likely arriving there by taking advantage of trusted sites to gain “trusted” links, largely upon which Google bases its results.

InternetStormCenter’s Swa Frantzen illustrated how malware users dupe webmasters into giving over their trusted link juice. By posing, for example, as a webmaster from a university, scammers email a webmaster of a site linking to the university’s site and say that site will no longer be active in the coming week, thus breaking that webmaster’s outgoing link. The scammer tells the webmaster to link to another domain instead (maybe a similar dotcom instead of a dotedu), which is in fact an iframe imposter.

All of this is creating a perfect storm of trusted website abuse leaving millions upon millions vulnerable. All of the sites mentioned need to take aggressive steps against these actions. Google needs to make some adjustments to its crawlers, Facebook needs to start verifying and approving third party apps, Twitter needs to start requiring valid email addresses, and users should be wary of shortened URLs supplied by strangers.     


WebProNews Staff

About the Author

WebProNews StaffWebProNews | Breaking eBusiness News Your source for investigative ebusiness reporting and breaking news.

View all posts by WebProNews Staff
  • Eric M

    I wish I could say I am shocked by this news, but it seems to be business as usual for the web.

  • Paul R.

    Google will just identify and remove the scammers from their index and keep them off.

  • Andrew Jensen

    On a similar but different note, we just ran across a probable multi million dollar scheme (based on the value of one site’s illegitimate position in Google for highly trafficked terms) to hack into DNN dotnetnuke sites and secretly place hidden links back to a handful of sites.

    One such site (currently ranks #1 in Google for “download movies”) has many of these links coming into it from DNN sites worldwide. Just check the Google backlinks for that site as well as pop over to Yahoo Site Explorer, and you’ll catch a whiff of what’s going on. Hacking for SEO purposes is taking on a whole new dimension and most website owners will never have a clue. Thankfully, Google occasionally catches these hidden links and sends out a warning email to the site owner to remove them – but a webmaster can’t rely on this discovery alone to keep their site from bleeding linkjuice to spammers.

    Hackers are finding new life (or black hat SEO companies are) and this time, there is a fortune to be made at everyone else’s expense.

  • Testing

    And in most cases, the mouse is faster …

  • FaTe

    this is not exactly new news at all. However Google by now could implement common terms filter to catch new pages newly indexed and top ranked for bad source code when first indexing. This isn’t exactly rocket science at all and why something like this has not been implemented yet with all there resources is simply beyond me.

  • charlotte law seo

    Spamming is a short term fix and gain. If you are going to build a strong site then white hat seo is the only way to go.

  • texxs

    This is another reason why Google must be stopped. Their method of determining who gets the top spots sucks, always has sucked (except the first year before everyone caught on to how easy it is if you have money) and always will suck.

    Everyone is missing one of the most obvious paths these guys took to get top results; they bought links, they used their existing network of sites to create links.

    That’s how you get on the first page of google for competitive key phrases, that or just be in the good old boys club.

  • studentb

    Student brands has just launched in 2009, its not like facebook its not like student village, it runs as a non profit org, it here to help students brand themselves and there businesses, allowing students to do free advertising and more, the site is interactive by creating free student forums, top lists of all parties and events from around the country and even a restaurant of the week poll. come check it out

  • bowo

    weh, mantap tenan sharenya :)
    tkz bro