Malicious PDFs Poison Google Search Results

A new SophosLabs report claims that malware-infected PDFs are influencing Google's search results.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Google search results

Getting a top ranking in Google's search engine is supposed to be an organic task, with the best content ranking highest, but according to a new research report from security vendor Sophos, attackers are using cloaked PDF files to influence Google's search results. The cloaked files may include malware and links to malicious sites.

Maxim Weinstein, security adviser at Sophos, explained that SophosLabs researcher Jason Zhang first noticed the cloaked PDF files at the beginning of June. The PDF files are full of different words that are intended to help influence search engine ranking. Weinstein noted that some are related to foreign exchange and investment terms and lead to a binary trading broker.

"It's hard to know which exact keywords they are targeting, but the 'binary stock trading' topic stands out," Weinstein said.

Sophos' research indicates that the company has seen "hundreds of thousands" of unique PDFs that triggered a malware detection rule. Weinstein said that he didn't have a specific number he could share, but he emphasized that the hundreds of thousands of detections are happening per day.

"That doesn't necessarily map one to one with high-ranked poisoned search results, but it does imply that the actors behind the campaign managed to get that many PDFs into circulation, via either malicious or compromised Websites," he said.

The cloaked PDFs aren't all necessarily loaded with malware either. Weinstein explained that the issue is not so much about malware in the PDFs as it is about malicious URLs that are included in the PDFs. That is, there is something about the URLs included in the cloaked PDFs that gives Sophos some reason to believe they have been, or will be, associated with malicious activity.

"The poisoning technique works by cross-linking the PDFs via embedding links to other URLs," Weinstein said.

In the binary trading search engine poisoning example, Weinstein said that Sophos didn't actually see any malware. That said, he added that Sophos has seen search poisoning used routinely in other instances to redirect users to malware, rather than to get-rich-quick schemes.

Sophos contacted Google prior to the disclosure to inform the company of the cloaked PDF risk. Weinstein said Sophos has a good working relationship with Google and felt it was important to reach out to the company before publicly discussing the issue.

Google did not respond to a request for comment from eWEEK by press time.

"I don't feel comfortable commenting on what Google should do, but I would expect Google will take this into account and make whatever changes it deems necessary to reduce the effectiveness of this type of poisoning," Weinstein said. "This would be consistent, for example, with Google's past behavior to limit the effectiveness of HTML-based poisoning."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.