A large-scale attack has been going on on the Norwegian Google search for several days: on the first pages of the output for almost any queries, there is a high probability of meeting a Danish spam domain havfruen4220.dk, says web developer Alex.
Redirection is configured on the domain: when the user goes to fraudulent sites that impersonate Norwegian news feeds or offer to “make quick money on the Internet”.
Usually Google filters such sites and does not allow you to go to them, not to mention the output to the first pages of the search results. But the scammers managed to deceive the algorithms with the help of an image and a redirect system, the web developer claims.
What did the scammers do
Alex checked some of the popular and typical queries for Norway and found them in the top every time havfruen4220.dk. For example:
The request of the largest grocery chain in Norway, REMA 1000 — is on the fifth page.
For the query in Norwegian “how often do I need to take a shower” – on the first page of the search.
One of the main queries in Google for the phrase “how to calculate” in Norwegian is “how to calculate a percentage”. Here is a spam site on the first search page.
For the query “How often does Apple update iOS” – immediately 9 and 10 search results.
Total on request havfruen4220.dk 9.95 million results are issued — and most of them are new and created in the last few days, the developer notes. To generate them, the scammers took data from a variety of sources: Twitter, news sites, random sites or a combination of them. There are other similar sites — they use a Danish domain .dk and are served by Cloudflare.
If a Norwegian Google search bot or a user tries to open a spam site page using a direct link, it disguises itself and shows a cartoon with “Smeshariki”.
But if a user visits one of the pages of a spam site, instead of its content, a js script is activated that redirects to fraudulent sites.Some of them disguise themselves as popular Norwegian news publications, articles in which” tell the secret of wealth ” of a Norwegian celebrity. Usually the text ends with a financial scheme with cryptocurrencies. Others are fraudulent sites dedicated to making quick money on the Internet with “temporarily free” access. They also talk about how to get rich with the help of cryptocurrencies.
Why Google was deceived and how the company can fix it
The developer has several assumptions about how it was possible to circumvent Google’s protection:
In the search results of the page havfruen4220.dk “they look quite decent”, it’s easy to get interested in them.
It is possible that when entering from the IP address of the Google scanner, the scammers show the real content, but the developer “pretended” to Google and got the same picture from the main page havfruen4220.dk.
When a user opens a spam domain page, scammers block the opportunity to return to Google. Thus, they “suggest” to search algorithms that the user has found the necessary information on their site — since he did not return back to the search results. The algorithms consider the site “useful” and rank it even higher.
After the user is blocked from returning to the output, he has to search for information again.