Google Spamdexing Attack
Found an interesting Google Results injection against sites running Solr search. Attackers created links in an unknown place with search parameters being passed to the websites. Google crawled these source pages, following the links and accepting them as content. It’s not all that sophisticated, but remember, it’s results that matter in this game.
Many more are on my Twitter from notifying the organizations of this clever little hack against Google’s results.
911: Google Webmaster Removal Tool
In an example URL from Berkeley.edu, notice how they’re passing a parameter to ?s= that the site appends into the code of the search results page. Somehow they’ve added this to Attacker Page 1, which was then crawled by Google, and it’s creating an XSS (cross-site) on the destination page, picking the search up as content.
The result is that Google is picking up keywords from those pages in its results effectively promoting them:
Definitely don’t try this at home! ‘Snorting Viagra‘ hosted on Umassmed.edu.
Check out all of the other organizations that have the search hack:
https://www.google.com/search?q=%22Search+Results+for+%22+Viagra%22 (Pages 1-7)
https://www.google.com/search?q=%22Order+without+prescription%22 (“Order without Prescription“)
You can take any of the domains found in the broad results and cross-check with a more specific search, for example, site:berkeley.edu “viagra”
Here’s a gallery of different University sites showing thousands of results with the pill advertisements. Hit escape if the gallery runs off the top of your screen:
Pages that show whatever you put into?s= Solr search. If the search parameter is replayed into the page, it creates the appearance of content. The attackers must’ve linked these from other locations to get them on Google:
In a similar scam where the attackers actually inject a real page into the site, these organizations were impacted. Some were the University of Massachusetts Medical Center, Hastings Library, and The City of Dry Rock, where the pages have been injected since at least December of 2020:
Destinations of these links being advertised are some of the following sites like ‘WebMD(dot)shop,’ which is brazen:
All of these domains above are landing pages that eventually lead to anonymrxonline[.]com
Phone: 888-524-7141 [ANI: VIGAR]
This phone # has over 5k Google results and shows signs of being in use for pill dealing for over 6+ years. It was formerly advertised by
Skype Gina24Rx [BDay: 9/16]
Location: Costa Rica.
Uses another phrase ‘MyPharmaCash’ from this affiliate program: https://www.facebook.com/MyPharmaCash and Twitter https://twitter.com/24rxshop activity ceased in early to mid-may of 2015.
Skype resets are email@example.com and firstname.lastname@example.org or phone number (***) ***-**61
The registrant of mypharmacash.com before it went private in 2016 was Mariano Bolanos in San Jose, Costa Rica. This is the same location as ‘Gina24Rx‘ this time using an email [email protected].
The owner Marianos Bolanos has numerous domains for pill-related items. His activity has died down since 2016. Many of the domains are active, though I have not investigated all of them.
Domain Cnaacr.com belongs to the National Chamber of Agriculture and Agroindustry in Costa Rica. In the footer, it’s signed ‘Web development by Bernetz’ (WayBack)
Domain Bernetz.com belongs to the company Bernetz IT Services that’s also registered to Marcos Bolanos:
Still putting some pieces together on this one…
Organizations I’ve notified about being listed on Google under these kinds of reflective (XSS) and direct injection attacks today:
American Association of State Highway
Arizona Department of Health Services
Berkeley Materials Science & Engineering
BainBridge Island Museum of Art
Califonia Digital Library
Children’s Community Day School
City of Dry Ridge, Kentucky
City of Tullahoma, Tennessee
Dickerson Park Zoo
Eastern New Mexico University
Ewing Marion Kauffman Foundation
Gulf of Mexico Fishery Management Council
Hudson River Museum
Monroe County History Center
Museum of Durham History
Miami Music Project
Palm Harbor Fire Rescue
Pathways 2 Life
Philly Expo Center
Schoharie County NY
Iowa State University
Irish American Heritage Center
Illinois State University
The City University of New York
The Port of Philadelphia
University of Southern California
University of California San Diego
University of Minnesota
University of Mary Washington
Unmanned Systems Labs @ Texas A&M
Virginia Commonwealth University
Washington Internation Trade Association
Wisconsin Small Business Development Center
We Fest – Country Music Festival
Working Men’s Institute (Indiana)
Impacted Orgs: Google Webmaster Removal Tool