Google's featured snippets abused by SEO scammers

Google’s featured snippets abused by SEO scammers

Many people wonder why websites, even very small ones such as personal blogs, ever get hacked. While there are many possible reasons why websites get hacked, it usually comes down to monetary gain.

Case in point, online crooks are abusing Google’s featured snippets via compromised websites that redirect to bogus online stores. A featured snippet is triggered when a user types in a question via a standard search. Google will display a block with a summary of the answer and a link to the site, on top of the regular search results.

Because of this prominent placement, Blackhat SEO miscreants are extremely interested in featured snippets as they can capture a large amount of traffic and redirect it to any site of their choosing. In this particular case, a hacked Hungarian sports site (which has nothing to do with software or license keys) is used to game Google’s algorithm which programmatically determines that a page contains a likely answer to the user’s question.

People who click on the link will be redirected to cheapmicrosoftkey[.]com a site that offers various license keys for Microsoft products at ‘discounted’ prices. Buying from such dubious online shops is never a good idea as you might actually purchase stolen merchandise, or worse, get completely scammed.

Overview:

flow_snippet

Ransomware

In an added twisted, if you visited the Hungarian website directly, you would be redirected to the Neutrino exploit kit and get infected with the CrypMIC ransomware. This is a good example of the multiple ways criminals can monetize a hacked site. It is quite likely in this case that the site was hacked several different times in unrelated automated attacks, perhaps even via the same vulnerability.

Fiddler

While an individual compromised website may not generate a lot of traffic on its own, it’s simply a numbers game for criminals who can control tens of thousands of them and update their payload on demand.

If you are a website owner, remember that it is your responsibility to keep your software patched and secure, as you can unwillingly participate in online scams and attacks. Failure to fix your infected website can lead to getting blacklisted by popular search engines and browsers, a situation that can be painful to recover from.

As an end user, beware of online deals that sound too good to be true. This example is particularly tricky as people would be inclined to trust their search engine for showing them the answer to their question.

We have reported this particular abuse to the Google team.

Indicators of Compromise

Fraudulent domains:

frevvy[.]com keyonsale[.]com ecbrecords[.]com ftp[.]neumediainc[.]com buykeyonline[.]com onlinekeyshop[.]com windows7-8key[.]com genuinekeyshop[.]com office2016keys[.]com windowskeysale[.]com buymicrosoftkey[.]com windows10keysale[.]com windowskeyonsale[.]com cheapmicrosoftkey[.]com office2013keysale[.]com officialkeyonline[.]com windows7keyonsale[.]com officialwindowskey[.]com buywindows10keysale[.]com windows10keysonline[.]com

IP: 185.139.238.210

Email registrant: bodfeo@163.com

CrypMIC: 0fec757b65dea409b368e02a72d16695e0a071347712fb29dfda12e0561d8247

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher