Vanity Search Attacks
“How did you two meet? Did you mark her, or was it the other way around?”
- Robert Redford to Brad Pit, Spy Game
Con man 101: The best way to gain someone’s confidence is to make them think they contacted you. Scammers just love having potential victims contacting them.
Now, it seems they figured an interesting way to draw potential victims to their web site, in a way that is much easier than sending billions of spam email messages.
The idea is simple: take the person’s name (real people’s names are available for harvesting in places like linkedin, facebook, and other social networks) and put it in a web page. Doesn’t really matter where, as long as google indexes it.
Wait a while, and have that person google himself. Many people (myself included) have a ‘google alert’ on their name which sends them updated list of links to new pages where their name is mentioned.
Everyone likes to see where they are mentioned, so they will click on the link. And voila! They arrive to the spammer’s page. In some cases I’ve seen, the name was already gone from the page (but was still in the google cache). But all this doesn’t matter: as soon as the person reached the page, the web spammer’s job is done – he got his message in front of you, and maybe you’ll even dig deeper into his web site trying to figure out what the connection is to you.
There are many advantages to this method. First, you are not restricted by the message: the web page can openly have the words Viagra, Credit card debt and mortgage assistance without the fear of triggering anti-spam software. Also, people will pay more attention to the page since they think it has to do with them.
I don’t get the spammers’ marketing statistics, but I’m sure that the infamous spam text “it came to our attention that you’re in dire need of financial help” which sounds very much like a sincere, personal message, is a huge success. But this message has to get through the spam filters and include a real email address and a correct first/last name. The spam web page doesn’t need to bypass spam filters, and already has the correct name. In addition, you gain interesting information about the visitor: browser version, IP location and of course, the name he was searching for (that would be in the ‘referrer’ that is sent automatically by the browser to the web site). Oh, and of course – it’s cheap. You only need to put together a nice looking web page, and wait for google to do the rest. No buying of email lists and no cost of sending spam (which is nowadays the cost of hiring a zombie botnet for a couple of days).
For those aspiring scammers who are reading this, you should understand that it’s not a foolproof method. Obviously, it requires people to do a vanity search to reach you in the first place (though it also works on people who google their dates, their parents or their teachers). It also requires time – days, weeks or months (which may be difficult if your web site is on a zombie computer that might disappear by the time google indexes and the user comes to the site). But due to the fact the costs are very small, and there are no effective countermeasures at the moment, I think we will see more and more such attacks in the near future.