One of every 200 Google search autocomplete suggestions are poisoned and are used to drive traffic to misleading sites, to malware, or other malicious content, a team of academics from three US universities has discovered.
This is one of the most recent types of blackhat search engine optimization (BHSEO) techniques observed in the wild.
The research team says it identified several companies that offer such services, which usually involve two stages —poisoning the autocomplete suggestions and then poisoning the search results listings where users land when selecting the poisoned search suggestion.
"We found that manipulating suggestion has already become a booming business, with tens of services available online," researchers said.
Some services use special tools that automate search queries in headless browsers spread across different IP addresses, while some services use human operators. Prices range from $1 to $20 per day, per the table below.
Researchers used a technique named Sacabuche (Search AutoComplete Abuse Checking) to identify poisoned search autocomplete suggestions from a dataset of 117 million suggested terms
"We are surprised to find that this new threat is indeed pervasive, having a large impact on today’s Internet," the research team said.
"More specifically, over 383K manipulated suggestions (across 257K triggers) were found from mainstream search engines, including Google, Bing and Yahoo!," they said. "Particularly, we found that at least 0.48% of the Google autocomplete results are polluted."
The team also identified over 3,000 sites in the search results listings that appear when users click the autocomplete suggestions, meaning the second part of this blackhat SEO strategy is as successful as the first.
Making matters worse, this technique is bound to become extremely popular as the number of mobile Internet users will continue to grow. Search autocomplete suggestions play a crucial role in mobile search, users often relying on these suggestions instead of typing a full query.
All search engines that feature search autocomplete feature are vulnerable to such attacks, not just Google, Bing, or Yahoo. The list also includes the Baidu and Yandex search engines.
Researchers said they notified affected search engines of their study, and that Google has responded to their report, but have not revealed Google's reply.
More details are available in a research paper named "Game of Missuggestions: Semantic Analysis of Search-Autocomplete Manipulations" that was presented at the end of February at the NDSS conference in San Diego, USA. A copy of the research paper is available for download from here or here.