Researchers observe PDF files poisoning Google search results

A Sophos senior security adviser said a trick is used so that the PDF files shown to Google are not the web pages seen by users.
A Sophos senior security adviser said a trick is used so that the PDF files shown to Google are not the web pages seen by users.

Although Google takes steps to prevent black hat search engine optimization (SEO) tactics, researchers with Sophos have observed an effective technique involving PDF files that could be used to promote potentially malicious websites.

The technique begins with several PDF files being generated and filled with searchable keywords, which can be done easily using a number of free open source or inexpensive commercial tools, Paul Ducklin, senior security adviser at Sophos, told SCMagazine.com in a Wednesday email correspondence.

The PDF files are then added to a variety of websites, which are likely legitimate sites that have been compromised, Ducklin said.

“To gain the high rank that would put them at the top of a search page, the PDFs contain links to legitimate looking documents on other (most likely compromised) websites,” Ducklin said. “This produces a “back link wheel” which contains enough keywords and legitimate looking links to drive an artificially high search result.”

If executed successfully, users will see the PDF files at the top of Google's results when performing a search of related keywords. A trick is also used, Ducklin said, so that the PDF files shown to Google are not the web pages seen by users.

“Instead, the unsuspecting users who click on the link to the fake PDF are redirected to a different website, which could be used for a variety of purposes – including distributing malware,” Ducklin said, adding users could also be sent to phishing sites that request personal information.

Sophos published their findings in a Tuesday blog post, which detailed how they observed the technique being used to promote a website related to binary option investments, and noted that additional information was provided to Google.

“Google can address this particular trick by getting more aggressive about, and less trusting of, PDF content,” Ducklin said, adding that users should always be mindful of what they see in search results and should report suspicious links.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS