Inside-out cloak

This morning I got an email from a friend who works at Google, saying that one of our NYU-related websites had been hacked. All the text had been replaced by ads for sexual enhancement products.

I went to our site, and emailed her back that everything was fine. Then she emailed me again to say that the problem was still showing up on her screen. For a while it was quite a mystery.

Eventually we figured out that our site had been hit what might be called an inside-out cloaking attack.

“Cloaking” in web parlance means making a harmful site look innocuous to search engines, so that people will click on an innocent seeming link in Bing or Google and then suddenly find themselves on the offending site.

It’s generally done by hacking into the server to add a script that checks who is visiting the site (by looking at the visitor’s IP address). If the visit is from the Bing or Google domains, the visitor sees innocent text. From anywhere else, the visitor sees something quite different.

Today’s attack was a kind of inside-out cloak. Our web site would seem just fine to almost anybody in the world, but if you happened to be from Google or Bing, you would find all those nasty ads. Which means that when Google’s software robots index the page, they get the version with the spam links. This makes the web ranking of those ad sites go up.

Fortunately, we were able to find and fix the problem because our site was visited today by an actual human at Google — a visitor with a far more discerning eye than any mere robot.

Leave a Reply

Your email address will not be published. Required fields are marked *