Sophos threat hunter Dmitry Samosseiko says internet lowlife are implanting hundreds of thousands of malicious PDF files a day on compromised websites to build a new cloaking system that foils Google's search algorithm analysis.
Samosseiko says the blackhat search engine optimisation method applies old keyword-stuffing and link-spamming tricks for HTML to PDFs.
It works because Google's revamped blackhat-nixing Panda algorithms,used to uncover and eliminate those tricks from web pages, are not applied as rigorously to PDFs.
Hackers can top search rankings by compromising legitimate sites and planting PDFs that reference their own dodgy sites.
"Our discovery of a new search poisoning method came from a Sophos Antivirus detection that Jason Zhang of SophosLabs created based on a suspicious-looking PDF file," Samosseiko says.
"In short order, we received hundreds of thousands of unique PDF documents per day that triggered this detection.
"When doing a Google search for keywords found inside those PDFs we found a large amount of similar documents on a number of legitimate, but unrelated and likely compromised, websites."
Samosseiko says the link farm method, or back-link wheel, is targeting binary trading brokers which are commonly flogged on shady sites such as The Pirate Bay.
A search for 'binary trading Austria' and 'safe stock trade US' yields a front page full of blackhat link farming PDFs.
While the binary bashing is a nuisance, the method could become highly dangerous if it is adopted by enterprising exploit kit brokers who are fast to exploit emerging opportunities.
Samosseiko sent the findings to Google ahead of disclosure. ®
Sponsored: Webcast: Simplify data protection on AWS