Its not hard to find search pages from websites with compromises. Its as simple as googling it. Actors are actively and easily exploiting misconfigurations in websites to advertise dark web content on search engines such as Google and Bing where the exploited website allows for search results to be indexed by search engines (when good practice should disallow this). Luckily the fix is as simple as the exploit and is simply to prevent search engines from indexing your websites search results.
An example of a compromised website is the United Nations Drug and Crime website (which you can see from the image above). Happily advertising how to buy cocaine (andmany other horrible services) on telegram! wickr, maxmaxx.com and telegram are common indicators seen by this compromise.
Another website affected is the main public Police Scotland website
The exploit occurs when:
- An attacker generates a webpage containing 1000s of links to a search page with the desired payload text (e.g. “contact @xyz on Telegram for cocaine in Auckland”) as the search terms.
- When this page is crawled by Google, the crawler follows all the links which are valid, follows the link to the victim wesbites searchpage with the embeded search term and indexes the search results which includes (“No results were found for [malicious darkweb advertising payload text]”)
- Google adds the search results to its index.
- When a Google user searches for the keywords (e.g. “buy cocaine Auckland”) the index records are returned in the results under the attacked domain.
Prevention:
- Remove bad results from Google index by logging into Google Search Console and using the “Remove page” tool to remove all pages matching the search results page (e.g. domain.com/search)
- Ensure search results page is always tagged with a noindex rule <meta name=”robots” content=”noindex, nofollow” /> (OR add search page to robots.txt file i.e. Disallow: /search)
Its basic web development hygiene to not have your websites search results to be indexed by search engines such as google or bing so if it has occured hold your developers to account!!
