No one should be feeling lucky with spam that sends them to a purported retail site via the use of advanced search operators in Google.
|Spammers Exploiting Advanced Google Search|
Certain operators like inurl and intext help people using Google search to quickly narrow down a broad set of results to a select few that fit the given criteria.
Spammers have figured out a way to game the advanced results. They can push out a legitimate looking Google URL, and have the people who click on it come directly to the spammer’s website.
Since the example cited by Symantec researcher Jitender Sarda goes to a retail site that just had its domain registered on October 1st, there is reason for people to be suspicious of it. Registrant details for South Park, Colorado, and a phone number in Germany don’t add up to a trustworthy situation.
The most disturbing aspect of this comes from the use of a Google search URL as the conduit to the site. The URL arrives as part of a spam message, and according to Sarda, functions like this:
1. The spammer devised a query string which yielded only his or her URL as result of an advanced Google search.
2. The spammer then simulated the click of the “I’m Feeling Lucky” button (notice the ‘&btnl=’ at the end of the above URL) that will take you to the URL of the first result that comes up for the entered search query.
3. Lastly, the spammer packed this URL into a regular email and sent it out to evade spam filters.
Spam filters likely will let a Google domain pass, as it is considered a trustworthy site. Through the use of the advanced operators, the spammer ensured anyone clicking on the “Google link” would come straight to the site in question.
Google has occasionally considered getting rid of its “I’m Feeling Lucky” button, but opts to keep it as people expect to see it. This use of advanced operators in spam may be a good reason for Google to finally relegate I’m Feeling Lucky to the pages of the Internet Archive.