Sophos Has Revealed PDF Cloaking Threat

By Christine Kern, contributing writer

Security firm Sophos announced that it has discovered a potentially dangerous new search poisoning method of bypassing the algorithm protections in the Google search engine that could expose search users to a number of security threats: PDF cloaking.

Cloaking, in general, is a technique in which the content presented to the search engine spider is different from what is present in the user’s browser. Google has protections in place to safeguard users against these types of threats, but Sophos says that at least one hacking group has found a way to circumvent the security measures.

“A cloaked page would serve the Googlebot with content that is stuffed with keywords to suggest that your site is relevant to specific search terms,” Sophos researcher Dmitry Samosseiko explained in his Sophos blog post. “This technique has been used often in the past in malware attacks; for example, users searching for ‘Justin Bieber’ and then following a link in search results could lead to a malicious website rather than the site presented in the link.”

“When doing a Google search for keywords found inside those PDFs we found a large amount of similar documents on a number of legitimate, but unrelated and likely compromised, websites,” Samosseiko wrote. “In addition to the heavy use of specific keywords, the PDFs include links to documents planted on other websites, forming a so-called ‘back link wheel.’”

“It seems that Google implicitly trusts PDFs more than HTML, in the same way that it trusts links on .edu and .gov sites more than those on commercial web pages,” he said.

Although Sophos says that the new approach could ultimately spread malware and other malicious functions, the researchers discovered it only in a marketing campaign to promote so-called “binary-trading’ broker services to date.

Somesseiko said, “We trust that the necessary measures are being taken to counter these search result poisoning attempts.”