Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

How Google Is (NOT) Tackling the Blackhat SEO Issue

April 05, 2010 - 3 min read

Google is widely used by attackers to trick users into going to malicious sites. The attackers hack legitimate sites that rank high on popular searches. The hacked pages display good content to the Google crawlers but when users surf to the hacked pages, they receive malicious content, which redirects them to other harmful domains.

While some Google searches contain numerous malicious results, even on the first page, Google seems to be attempting to address this issue. While analyzing the results for “google april fool”, I found several malicious results. I’ve investigated two - the 11th and 15th search results. The first link is to hxxp://, while the second one is hxxp:// Both links redirect to, a domain that displays fake antivirus pages to trick users in downloading and installing malware disguised as antiviruses.


A known bad site to Google



Google maintains a public list of malicious site, known as Google SafeBrowsing. You can look at the status of any domain by going to<domain>. Within a few seconds of spotting these 2 malicious links, was not showing up anymore in the top 100 results.. The Google diagnostic page flagged the domain as having been involved in distributing malware.


Google Diagnostic for


Note that Google says “this site is not listed as malicious”, but that it is used to distribute malware. Indeed, does not host any malware, but it used to redirect the users to a different domain that host the malicious content.



How does Google use this information? A search for “” yields 403 results. By looking at the URLs, it is easy to spot the bad pages. One of them is hxxp:// If you access this page from Google using the same search terms, you get the harmless page which Google used to rank the content. The hacked page looks at the Referer header to check where the user is coming from. Not only does the user has to come from Google, but it also needs to have done a “normal” search. This is an attempt to fool both Google and security tools into marking these pages as good.









Yes, all the fake pages are as ugly as this one! But this is the content that matters to Google.




I extracted 3 words from the page, and ran the following Google search: “didi index indicator”. Sure enough, the malicious page shows on the first result page as the 5th result.


Don’t click on link #5



If you follow the link, you get redirected to the following fake antivirus page on



Fake antivirus page



An unknown hacked site




Google did not, at the time this blog was published, flag the second domain, as malicious.


Domain is safe according to Google


It may not take long for Google to flag this domain. Since I don’t know when the website was hacked, I’m not able to measure Google’s response time to scan and flag it correctly.





What is Google doing with its data?



While it is not surprising that Google does not flag all hacked websites immediately, it is very concerning that they keep bad websites in their index. They know is used to spread malware, yet they still display dangerous links to this domain in their search results! Protecting users should be their number one priority. I personally, would prefer that they erroneously block some websites temporarily, rather than keeping known bad websites in their search results - even showing them in the top 10 results!

-- Julien
form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.