Paid Advertising
web application security lab

Building Fake Search Engines to Monetize Redirects

I’ve been talking with Jeremiah Grossman about his history revealer a lot over the past few days (I’ll probably talk more about it in some later post), but I started thinking about additional applications for knowing where someone was beyond the obvious stuff. It then occured to me that there is a way that porn sites and other blackhat websites can monetize traffic that they haven’t touched yet, to my knowledge.

There’s a pretty old trick where once the user clicks on a link they are immediately taken to another page. When the user finds that they are on a page that they aren’t interested in they hit back on their browser. When they do that they land back on the page with the redirect and they either get redirected again or to another website. This is a pretty aggrevating user experience that just makes them hit back on their browser twice quickly, use the history drop down or manually type in another website to escape the site. As they do so the malicious website looses that user - probably forever.

It just occured to me that there is a better way to monetize that traffic based on two factors that are known. The first is where the user is coming from. Thankfully most browsers send referrers. If you know the referrer of a search engine you can tell exactly what they were looking for and what all the other links on that page are. Stay with me.

When the user clicks back on their browser, instead of blindly sending them off into redirect land which is a highly frustrating experience, why not serve them up a page that looks exactly like what they would expect to see by hitting back on their browser? How does that help? Well if you can completely re-create the page that the user expected to see, you can change all the links on the page to things you own, with the possible exception of the previously viewed links (which you can know using Jeremiah’s trick). You can then hijack the rest of the links with JavaScript onclick events or just serve them up completely different links - either way. Instant page rank, without even trying!

Now the user gets the search experience they would expect but now you completely control everything the user will find upon searching and clicking. I bet more often than not the user won’t even notice they aren’t on the search engine website because they will be served up an exact replica. Without looking at the URL they will still be convinced because it looks exactly like the last page they were on, complete with the search results and the viewed links.

Of course if you do this you are risking getting lawyers all over you for trademark infringement blah blah, but I’m not sure most blackhats care about that kind of thing - if they can be located anyway.

3 Responses to “Building Fake Search Engines to Monetize Redirects”

  1. web application security lab - Archive » Google Clone Drops Spyware Says:

    […] The part that I think is interesting in this is not the attack they used - it’s old and boring. What would be interesting is to combine the attack used against Google and building a fake search engine based on where the user was previously. This attack simply requires that you have your code on whatever site is going to get the traffic. That means that you can XSS a page and if you see the referring URL come from a Google domain you can hijack the traffic when the page unloads. […]

  2. rollinj Says:

    I love it! Did you come up with this idea purely by yourself!? Scored another long-time reader here, thanks!

  3. RSnake Says:

    Hahah, my pleasure! Yup, that was just an idea I came up with after work one day. There are lots of other ideas like it, but that one feels especially nasty to me.