Imagine Google’s search engine being exploited for sending spam URLs. Unbelievable? Believe it!
Google is the one of the most widely used search engines on the Webtoday. To make life easier, it supports a few advanced query wordswhich narrow the scope of a search to a great extent. It appears thatspammers have found a way to exploit this facility to direct the enduser to a URL advertising their products or services, using Google’sadvanced search operators.
Recently, we came across few offer spam mails which had the following URL in it:
http://www.google.com/search?hl=en&q=inurl:replica%20intext:%22Perfect+cheap+replica+watches+online.%22&btnI=
A first glance, it appeared to be a “Google search results” link andwe were expecting it to take us to the search results page. However,when clicked, it automatically redirected to a site selling replicas ofexpensive watches, pens, and jewelry.
We were surprised. The first question that came to mind was how didthe spammer manage to point Google’s search URL to point to his/herdomain? Upon close inspection, we found out how the spammer was notonly able to make the search query specific to the his/her Web site,but also managed to simulate a click on the link to that site. Here isa sample image of a product promo spam email:
Feeling lucky?
Here’s what the spammer did to pull off this little magic trick:
1. The spammer devised a query string which yielded only his or her URL as result of an advanced Google search.
2. The spammer then simulated the click of the "I'm Feeling Lucky"button (notice the '&btnl=' at the end of the above URL) that willtake you to the URL of the first result that comes up for the enteredsearch query.
3. Lastly, the spammer packed this URL into a regular email and sent it out to evade spam filters.
The spammer certainly made sure he or she got lucky each time usingGoogle’s advanced search operators, “inurl” and “intext.” The “inurl”search operator restricts the results to documents containing that wordin the URL (the word “replica” in this case), while the “intext”operator returns documents that contain that word in their text body.The spammer just put the title text of his or her domain’s index pageas the argument to the “intext” operator. The combination of the twooperators pinpointed the spammer’s domain on Google search.
With a little reverse engineering on this URL we were able to extract the query string:
inurl:replica intext:"Perfect+cheap+replica+watches+online."
This gave only the spammer’s domain as the result:
As usual, spammers keep changing their techniques to defeat thefilters, but on the other hand, we develop new techniques andtechnology to counter them.