Google Alerts is s useful service that allows you to receive emails or an updated RSS feed when new pages appear in the Google search index that are related to specified keywords you are following. Unfortunately, whenever there is a good thing, people try to take advantage of them to push users towards scams and malware.
For those not familiar with this service, Google Alerts allows you to submit keywords that you wish to monitor. When new pages are found that match these keywords, depending on how you create the alert, Google will either send you an email or update an RSS feed.
I have been using Google Alerts for many years in order to track various malware and security topics. Over the past year, if not longer, I have noticed a trend where bad actors are injecting malicious sites into the Google search index in order to have them also appear in Google Alerts being sent to users.
When a user clicks on one of these alerts, they will then be sent to a page that then redirects them through a series of other pages until they finally land at a fake giveaway page, tech support scam, unwanted extension, or malware installers.
The anatomy of Google Alert spam
To get malicious links into Google Alerts, bad actors will create spam pages with popular keywords and get them into the Google search index.
For example, as we publish a lot of ransomware news, I have a Google Alert setup for Ransomware. Knowing that users are desperate for decryptors, the bad actors create fake spam pages containing blobs of text containing keywords related to a particular decryptor that may be affecting a lot of users at the time.
You can see one of these spammy pages below that pretends to discuss a Kaspersky decryptor for the STOP DJvu Ransomware. This page is what is shown to users when they directly navigate to the page’s URL.
When the bad actors create these pages and get them into the Google index, an alert will be generated for anyone who wants to be notified about ransomware, decryptors, or the STOP ransomware.
When a user clicks on a link through a Google Alert or via the Google search engine, instead of showing the web page shown earlier in the article, they will be redirected to a malicious site like the tech support scam shown below.
This is not to say that scammers are only designing pages around tech related keywords.
BleepingComputer has also seen this same technique being used for other subjects such as televisions, clothes, movies, and more. These subjects are typically for holiday shopping, coupons, ways to watch movies for free, or other types of content that users may be enticed to click on.
In the example above, all of the highlighted results are scam redirects.
Protecting yourself from Google Alert spam
The best way to protect yourself from these types of low quality and malicious sites, is to specify you only want the “best results” when creating the alert.
This can be configured under the alert options at the top of the Google Alerts page.
While selecting this option will remove a lot of newly registered sites and ones without good authority and reputation, it may aso remove legitimate sites that could provide good information.