Google Instant: Is it a pawn for Blackhat SEO?

Learn how Blackhat SEO is used to improve the search ranking of malicious web pages and why search engines are accepting them.

Learn how Blackhat SEO is used to improve the search ranking of malicious web pages and why search engines are accepting them.


This article was supposed to be solely about Blackhat SEO and its implications. During my research, I came across a new exploit, and experts are saying it's Blackhat SEO on steroids. So, plan B.

Before I get to the details, I want to show you what diverted me. I started typing antivirus into Google's web page. As you can see below, I only got to anti and search suggestions started popping up.

Okay, that's cool. I remember reading that Google rolled out a new technology called Instant. It attempts to predict what search terms I want and provides suggested links in a drop-down box. After the initial "wow factor" wore off, I realized the first suggestion Google offered was antivir solution pro.

In the world of IT security, that's a problem. Antivir Solution Pro is a rogue anti-spyware application laced with malware. Once installed, it hijacks the computer and inundates users with fake security pop ups. The ultimate scam comes into play when users are asked to buy a license that does absolutely nothing. I can't believe Google allowed that.

Well, I overreacted somewhat. The links associated with Antivir Solution Pro ended up being not what I thought. Google returned pages on how to remove the malware. That's a relief.

The real issue

My next question was: Are the links for real? Antivir Solution Pro is all about spoofing users. It turns out that's a good question. Apparently, there is a new and troublesome exploit that we need to be aware of. It has to do with SEO. That acronym may not mean the same to everyone, so let's define it to avoid confusion.


Search Engine Optimization (SEO) is a process used to improve the ranking of a web site in search engines like Google and not to be confused with Search Engine Marketing (SEM), where web-site owners pay to increase their site's visibility in search-engine results. SEO uses unpaid or organic methods to increase a web site's ranking. It's a fascinating subject, with many papers written on how to achieve SEO.

I'm not the only one. Cybercriminals are also interested in SEO, but for a very different reason. In fact, what they are doing has gained enough notoriety to have its own special name.

Blackhat SEO

Originally, Blackhat SEO was the process of optimizing search engine results, but in an unethical manner. Some of the methods used are:

  • Keyword stuffing: The idea is to have a list of keywords on the web site and not much else. It will elevate the domain name's ranking for awhile.
  • Invisible text: A sneaky trick of having a large number of keywords in white text on a web page with a white background. We can't see it, but it will attract web crawlers.
  • Doorway Pages: A fake page that visitors never see. It also is full of keywords and meant to fake search-engine spiders into elevating the site's ranking.

Blackhat SEO becomes nasty

Today, Blackhat SEO has grown to include techniques for elevating not just any link, but ones pointing to malicious web sites. Julien Sobrier, a security researcher at Zscalar has determined over 50 percent of individual search results contain at least one malicious link in the first 10 pages. In some cases where the search is about a popular topic, 90 percent of the first 100 links were pointing towards malicious sites.

In this video, Mr. Sobrier goes over his findings. He explains that before attackers start using SEO, they use search engine results to determine popular trends. Then they leverage SEO methods to further elevate malicious web sites based on one of the popular trends. Let's take look at the process.

Popular trends

The bad guys use trending to determine what is popular at any given time. Google Hot Trends is one web site that they use:

The next step is to build a malicious web site that employs search terms, dates, and actual sentences found in the link information for one of the popular sites. If done properly, search engines will quickly start pointing at the newly-built malicious web site and give it a fairly decent ranking.

Another possibility is to find some vulnerability, hijack a legitimate web site that is popular, and add their malcode. Mr. Sobrier mentions that using robot.txt, image folders, or .files make it difficult for the responsible web master to see what's happening.

The first hint that something's wrong is the malicious site rarely looks as expected. Instead, it tells the victim there is a problem. The computer is infected with malware, the video codec is wrong, or some application needs to be updated. As you can guess, following the advice will install the attacker's malware.

Elevate ranking

Not satisfied with initial rankings, cybercriminals use a unique method to improve site rankings. The corrupt web site is set up to glean information from the request traffic's referrer. The attackers want to learn where the request came from -- Google, Bing, or Yahoo for example. Knowing this allows the attackers to index the query at the appropriate search engine, elevating the web page's ranking.

Blackhat SEO plus Google Instant

Now, that we have an idea as to how Blackhat SEO and Google Instant work, I'd like to tie everything together. Let's see if this is the perfect storm some are predicting.

Trying to spot links that point to malicious web sites is difficult to say the least and has been a thorn in Google's side for quite some time. Actually, all the major players in the search field are working on this, but nobody has a real solution. So that's problem one.

Remember I mentioned that attackers rely on what is popular at any given moment. Google Hot Trends appears to get updated daily, but Google Instant is real time. So the bad guys know right away which search terms are the optimal ones to use. Between these two, I don't see how it can get any better for cybercriminals. There are some things we can do though.

Partial solutions

It doesn't seem like much help, but Google Instant can be turned off.

That way, users will not mistakenly select something other than what they expected. Remember my search where I stopped at anti. Here are the results if I type in antivirus completely:

Next, the major web browsers have black-list applications that should be of some help. Internet Explorer uses SmartScreen Filter, while Firefox and Chrome use Google Safe Browsing. Still, we need to remember that black lists are reactionary and will not flag new malicious domain names until they are reported.

Final thoughts

Being able to detect bogus links that send us to malicious web sites is a problem that does not have a real solution. It seems once again, making users aware of Blackhat SEO and how it could benefit from Google Instant is the best that we can do.

Have you run across Blackhat SEO in your surfing?