Malicious PDFs Poison Google Search Results | eWeek

Malicious PDFs Poison Google Search Results

Google search results
Jul 8, 2015
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Getting a top ranking in Google’s search engine is supposed to be an organic task, with the best content ranking highest, but according to a new research report from security vendor Sophos, attackers are using cloaked PDF files to influence Google’s search results. The cloaked files may include malware and links to malicious sites.

Maxim Weinstein, security adviser at Sophos, explained that SophosLabs researcher Jason Zhang first noticed the cloaked PDF files at the beginning of June. The PDF files are full of different words that are intended to help influence search engine ranking. Weinstein noted that some are related to foreign exchange and investment terms and lead to a binary trading broker.

“It’s hard to know which exact keywords they are targeting, but the ‘binary stock trading’ topic stands out,” Weinstein said.

Sophos’ research indicates that the company has seen “hundreds of thousands” of unique PDFs that triggered a malware detection rule. Weinstein said that he didn’t have a specific number he could share, but he emphasized that the hundreds of thousands of detections are happening per day.

“That doesn’t necessarily map one to one with high-ranked poisoned search results, but it does imply that the actors behind the campaign managed to get that many PDFs into circulation, via either malicious or compromised Websites,” he said.

The cloaked PDFs aren’t all necessarily loaded with malware either. Weinstein explained that the issue is not so much about malware in the PDFs as it is about malicious URLs that are included in the PDFs. That is, there is something about the URLs included in the cloaked PDFs that gives Sophos some reason to believe they have been, or will be, associated with malicious activity.

“The poisoning technique works by cross-linking the PDFs via embedding links to other URLs,” Weinstein said.

In the binary trading search engine poisoning example, Weinstein said that Sophos didn’t actually see any malware. That said, he added that Sophos has seen search poisoning used routinely in other instances to redirect users to malware, rather than to get-rich-quick schemes.

Sophos contacted Google prior to the disclosure to inform the company of the cloaked PDF risk. Weinstein said Sophos has a good working relationship with Google and felt it was important to reach out to the company before publicly discussing the issue.

Google did not respond to a request for comment from eWEEK by press time.

“I don’t feel comfortable commenting on what Google should do, but I would expect Google will take this into account and make whatever changes it deems necessary to reduce the effectiveness of this type of poisoning,” Weinstein said. “This would be consistent, for example, with Google’s past behavior to limit the effectiveness of HTML-based poisoning.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.