🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Black-hat SEO tactics are compromising the Indian internet space, with cybercriminals exploiting search engine poisoning to infiltrate government, educational, and financial websites. This in-depth analysis uncovers how malicious actors manipulate search rankings using keyword stuffing, cloaking, and backlinking to redirect unsuspecting users to fraudulent gaming and investment platforms. The report highlights the alarming scale of this digital deception, urging authorities to strengthen security measures and users to stay vigilant against manipulated search results. Stay informed and safeguard your online experience against black-hat SEO threats. 🚨 #CyberSecurity #SEO
Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.
Schedule a DemoIndian Government websites, Educational Websites and well-known Financial brands have been affected in scale, by SEO Poisoning, leading to user traffic being redirected to sketchy websites promoting rummy, and other investment-focused games. In this advisory, we will be discussing the techniques utilized to mislead Indian Internet users, when performing searches to clear their queries.
In a recent development, analysts at CloudSEK have discovered the much maligned use of black hat Search Engine Poisoning by threat actors, to push Rummy and Investment focused websites to unsuspecting users. Targets of interest include websites with .gov.in , .ac.in TLD’s and usage of keyword stuffing mentioning well known financial brands in India. Over 150 government portals, most belonging to state governments, have been affected at scale.
Search engine poisoning refers to malicious practices aimed at manipulating search engine results to promote harmful or deceptive content. These tactics are typically employed by cybercriminals to redirect users to fraudulent websites, distribute malware, or launch phishing attacks.
Techniques in play:
Rummy games have a rich history and have grown immensely popular in India, both offline and online. The advent of online gaming platforms has further boosted its popularity. With access to smartphones, affordable internet, and the convenience of playing from home, rummy games have found a massive audience in India.
Additionally, platforms offering cash prizes and tournaments have made it even more enticing. However, while it provides entertainment and opportunities to win, the financial risks can’t be ignored. Many players overestimate their abilities and continue to bet/invest on higher amounts, leading to losses. The desire to recover losses, known as "chasing losses," often traps players in a cycle of increasing bets.
Ever since the unfolding attack scenario was highlighted on X (formerly Twitter) last year, a handful of similar posts have appeared on platforms such as Linkedin, X and the news outlet TechCrunch.
Inspection of the source code, on one of the Indian Government websites affected, shows a Javascript snippet. The functionality of the code snippet is as follows:-
In this case, "https[:]//yono-allslots[.]com/" redirects to indorummy[.]net, another rummy game website.
To explore if this is really possible, a search was run using the dork “rummy” site:*.gov.in, and the logic of the script was analyzed, using Google Developer Tools, and by changing the device type.
The script was working as intended and it goes on to demonstrate how stealthily threat actors are operating, in a way that more than meets the eye.
When checking the script, it is evident that an exception is made for Desktop-based browsers, where users would rather be shown a 404 Error Page, when clicking on similarly doctored results. This is a case of user agent cloaking in practice.
In other cases, it is more direct, wherein a landing page depicting the rummy website in question loads up after the preloader touches 100%. This is aided using redirection, using Javascript and the same content reflects, irrespective of user agent.
A possible answer to this would be the exploitation of File Upload functionality within websites combined with Javascript code Injection, possibly utilizing stored XSS in the process. We state this with medium confidence.
As mentioned above, during our analysis when analyzing more websites, it was found that an abundance of files with extensions “.shtml”, “.html” and “.aspx” extensions were seemingly uploaded to non-existent directories, within affected websites (indicated by the search result URL). However we haven't been able to pinpoint the exact vulnerability that is being exploited.
As we know, .shtml, or Server Side Includes (SSI) files, are HTML files that include server-side scripting commands that are processed by the web server before being sent to the client's web browser. This can indicate that redirection code could be injected in these files
These files get removed upon reporting - by utilizing Google’s Webmaster Tool, but get cached and show up as results by Google’s indexing mechanism, often reflecting the redirected website’s content on search results.
In a particular case of client query investigation, we uncovered a series of spam websites having the keywords of a National Public Sector Bank and its Banking Application stuffed into the frontpage, promoting rummy games.
When delving deeper into these websites, it was discovered that the websites were targeting more Indian companies in the financial sector and had utilized the template of other similar websites, geared towards promoting Indonesian casino games.
With an eventual course of progression if not stopped in its tracks, the threat of customers being swindled can loom over other organizations, other varied industries
Taking the screenshot provided below as an example, we can see that keywords such as loan and card application, targeted for bank queries have been stuffed into the webpage, making users land on such untrusted pages and proceeding to see text enticing users to partake in rummy games.
Keyword Stuffing: The source of such text are from digital ads commissioned by the bank in question, promotional text from their websites and an amalgamation of common queries from the customer pool, for example, taking queries where customers seek instant personal loans, with low interest rates.
In one particular instance, a template message pushing phishing links from Mobile SMS’ were discovered on a webpage
The impersonating domains create webpaths targeting companies, and the page titles are also tailored to match the company name
Below is an example of text stuffing, using a subdomain address belonging to the Government of Telengana, on a similar page pushing rummy games.
Interconnected Web Pages: Referred to as "Link Farms," this involves creating multiple web pages that are linked together to increase incoming links and boost a website's ranking. Upon further checks, it was found that attempts to play these games lead to a website named “teenpattionline.game”/ teenpatti.com , offering a trove of games involving betting to gain rewards.
These rummy games, packaged under various names, follow an approach akin to investment scams, as illustrated below:
Upon further checks, it was found that attempts to play these games lead to a website named “teenpattionline.game”, offering a trove of games involving betting to gain rewards.
Benefits offered by games
1. Referral Bonus: For every referral, a user receives a nominal amount ranging from Rs 20 - 80, thereby pulling more individuals to the cusp of gambling and possible financial ruin. New logins from the same device are not counted towards this.
2. Login Bonus: These games offer paltry rewards for daily logins, making it an interesting prospect to lure in people’s attention and prompting them to spend daily on games
This is a concept seen in most Pig Butchering / Ponzi Scam Models, where users that tend to invest more to get better rewards, are classed under VIP Levels. Higher the VIP Level that you are classed under, higher are the chances of the individual being scammed
During more analysis, a new route to scam individuals out of money could be brewing, with the aid of color prediction games.
From our previous research on this scam type, games and domains impersonating prominent companies offer opportunities to place bets and receive monetary rewards, for predicting the right color.
The scam is similar to the Ponzi/ pyramid scheme, where the money collected from new players/ investors is used to pay profits to early adopters/investors.
To Note: The possibility of such games being promoted in the future, is merely stated as a possibility, with the existence and fraudulent nature of such games being relevant and being able to siphon large amounts of money.
During our analysis on one suspect rummy game website, i.e. indorummy [.]net, it was found that the website had connections to employing back linking services. The website was additionally found to be listed amongst others on Link Farm websites.
To provide more context, here’s how these link farms help rummy websites, or any dodgy website utilizing their services:-
Boosting Search Rankings:-
Domain Authority (DA) Manipulation:-
Increased Indexation & Crawl Frequency
Insights from the graph:-
A common Telegram handle was found to be linked within these websites for Backlinking consultation. The handle has since been inactive. Additionally, services on the freelancer platform ‘Fiverr’ have been linked to these websites. The credibility of these listings are questionable.
With indorummy[.]net and vc99[.]net, amongst its other variants appearing on browsers commonly from poisoned results, our investigation extended to their DNS Records.
What is alarming about this method used by the threat actors is the sheer scale of their infrastructure. We were able to identify 12 associated IP addresses, with multiple domains having the prefix ‘bet’, ‘rummy’, or ‘vip’, pointing towards rummy/investment platforms and siphoning off with people’s hard earned-money.
NOTE: The 104.21.x.1 range is used by Cloudflare as part of their proxy and DDoS protection service. When a website uses Cloudflare, the A records typically point to Cloudflare's IPs instead of the website's actual server. Cloudflare then routes traffic to the real destination while filtering malicious requests.
The presence of multiple A records in the same IP Range indicates that the domains are using multiple IP addresses for load balancing, redundancy, or performance optimization. For example’s sake, domains sharing the same IP range have been highlighted in the table below:-
One common issue is the presence of lax security measures within these ASNs, making them attractive targets for cybercriminals who exploit vulnerabilities and host malicious content. Additionally, some ASNs allow users to register services anonymously, providing a conducive environment for malicious actors to operate without easy identification.
Some of the ASNs that we were able to identify associated with the campaign and have been reported for phishing, malware, etc. are as follows:
During our research, a Linkedin post came to our attention wherein a similar campaign was unfolding in Malaysia around four months ago, where Government websites were being backlinked to Rummy and Casino websites.
It further goes on to establish the truth that insecure infrastructure will always be immune to unethical activities, if secure coding practices and failure to safeguard critical infrastructure is not followed. This is not an isolated incident.
For Authorities and related personnel
Security Infrastructure Improvements
Website Monitoring
For Users
General Security Awareness
Financial Protection
Pubic Awareness
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
15
min read
Black-hat SEO tactics are compromising the Indian internet space, with cybercriminals exploiting search engine poisoning to infiltrate government, educational, and financial websites. This in-depth analysis uncovers how malicious actors manipulate search rankings using keyword stuffing, cloaking, and backlinking to redirect unsuspecting users to fraudulent gaming and investment platforms. The report highlights the alarming scale of this digital deception, urging authorities to strengthen security measures and users to stay vigilant against manipulated search results. Stay informed and safeguard your online experience against black-hat SEO threats. 🚨 #CyberSecurity #SEO
Indian Government websites, Educational Websites and well-known Financial brands have been affected in scale, by SEO Poisoning, leading to user traffic being redirected to sketchy websites promoting rummy, and other investment-focused games. In this advisory, we will be discussing the techniques utilized to mislead Indian Internet users, when performing searches to clear their queries.
In a recent development, analysts at CloudSEK have discovered the much maligned use of black hat Search Engine Poisoning by threat actors, to push Rummy and Investment focused websites to unsuspecting users. Targets of interest include websites with .gov.in , .ac.in TLD’s and usage of keyword stuffing mentioning well known financial brands in India. Over 150 government portals, most belonging to state governments, have been affected at scale.
Search engine poisoning refers to malicious practices aimed at manipulating search engine results to promote harmful or deceptive content. These tactics are typically employed by cybercriminals to redirect users to fraudulent websites, distribute malware, or launch phishing attacks.
Techniques in play:
Rummy games have a rich history and have grown immensely popular in India, both offline and online. The advent of online gaming platforms has further boosted its popularity. With access to smartphones, affordable internet, and the convenience of playing from home, rummy games have found a massive audience in India.
Additionally, platforms offering cash prizes and tournaments have made it even more enticing. However, while it provides entertainment and opportunities to win, the financial risks can’t be ignored. Many players overestimate their abilities and continue to bet/invest on higher amounts, leading to losses. The desire to recover losses, known as "chasing losses," often traps players in a cycle of increasing bets.
Ever since the unfolding attack scenario was highlighted on X (formerly Twitter) last year, a handful of similar posts have appeared on platforms such as Linkedin, X and the news outlet TechCrunch.
Inspection of the source code, on one of the Indian Government websites affected, shows a Javascript snippet. The functionality of the code snippet is as follows:-
In this case, "https[:]//yono-allslots[.]com/" redirects to indorummy[.]net, another rummy game website.
To explore if this is really possible, a search was run using the dork “rummy” site:*.gov.in, and the logic of the script was analyzed, using Google Developer Tools, and by changing the device type.
The script was working as intended and it goes on to demonstrate how stealthily threat actors are operating, in a way that more than meets the eye.
When checking the script, it is evident that an exception is made for Desktop-based browsers, where users would rather be shown a 404 Error Page, when clicking on similarly doctored results. This is a case of user agent cloaking in practice.
In other cases, it is more direct, wherein a landing page depicting the rummy website in question loads up after the preloader touches 100%. This is aided using redirection, using Javascript and the same content reflects, irrespective of user agent.
A possible answer to this would be the exploitation of File Upload functionality within websites combined with Javascript code Injection, possibly utilizing stored XSS in the process. We state this with medium confidence.
As mentioned above, during our analysis when analyzing more websites, it was found that an abundance of files with extensions “.shtml”, “.html” and “.aspx” extensions were seemingly uploaded to non-existent directories, within affected websites (indicated by the search result URL). However we haven't been able to pinpoint the exact vulnerability that is being exploited.
As we know, .shtml, or Server Side Includes (SSI) files, are HTML files that include server-side scripting commands that are processed by the web server before being sent to the client's web browser. This can indicate that redirection code could be injected in these files
These files get removed upon reporting - by utilizing Google’s Webmaster Tool, but get cached and show up as results by Google’s indexing mechanism, often reflecting the redirected website’s content on search results.
In a particular case of client query investigation, we uncovered a series of spam websites having the keywords of a National Public Sector Bank and its Banking Application stuffed into the frontpage, promoting rummy games.
When delving deeper into these websites, it was discovered that the websites were targeting more Indian companies in the financial sector and had utilized the template of other similar websites, geared towards promoting Indonesian casino games.
With an eventual course of progression if not stopped in its tracks, the threat of customers being swindled can loom over other organizations, other varied industries
Taking the screenshot provided below as an example, we can see that keywords such as loan and card application, targeted for bank queries have been stuffed into the webpage, making users land on such untrusted pages and proceeding to see text enticing users to partake in rummy games.
Keyword Stuffing: The source of such text are from digital ads commissioned by the bank in question, promotional text from their websites and an amalgamation of common queries from the customer pool, for example, taking queries where customers seek instant personal loans, with low interest rates.
In one particular instance, a template message pushing phishing links from Mobile SMS’ were discovered on a webpage
The impersonating domains create webpaths targeting companies, and the page titles are also tailored to match the company name
Below is an example of text stuffing, using a subdomain address belonging to the Government of Telengana, on a similar page pushing rummy games.
Interconnected Web Pages: Referred to as "Link Farms," this involves creating multiple web pages that are linked together to increase incoming links and boost a website's ranking. Upon further checks, it was found that attempts to play these games lead to a website named “teenpattionline.game”/ teenpatti.com , offering a trove of games involving betting to gain rewards.
These rummy games, packaged under various names, follow an approach akin to investment scams, as illustrated below:
Upon further checks, it was found that attempts to play these games lead to a website named “teenpattionline.game”, offering a trove of games involving betting to gain rewards.
Benefits offered by games
1. Referral Bonus: For every referral, a user receives a nominal amount ranging from Rs 20 - 80, thereby pulling more individuals to the cusp of gambling and possible financial ruin. New logins from the same device are not counted towards this.
2. Login Bonus: These games offer paltry rewards for daily logins, making it an interesting prospect to lure in people’s attention and prompting them to spend daily on games
This is a concept seen in most Pig Butchering / Ponzi Scam Models, where users that tend to invest more to get better rewards, are classed under VIP Levels. Higher the VIP Level that you are classed under, higher are the chances of the individual being scammed
During more analysis, a new route to scam individuals out of money could be brewing, with the aid of color prediction games.
From our previous research on this scam type, games and domains impersonating prominent companies offer opportunities to place bets and receive monetary rewards, for predicting the right color.
The scam is similar to the Ponzi/ pyramid scheme, where the money collected from new players/ investors is used to pay profits to early adopters/investors.
To Note: The possibility of such games being promoted in the future, is merely stated as a possibility, with the existence and fraudulent nature of such games being relevant and being able to siphon large amounts of money.
During our analysis on one suspect rummy game website, i.e. indorummy [.]net, it was found that the website had connections to employing back linking services. The website was additionally found to be listed amongst others on Link Farm websites.
To provide more context, here’s how these link farms help rummy websites, or any dodgy website utilizing their services:-
Boosting Search Rankings:-
Domain Authority (DA) Manipulation:-
Increased Indexation & Crawl Frequency
Insights from the graph:-
A common Telegram handle was found to be linked within these websites for Backlinking consultation. The handle has since been inactive. Additionally, services on the freelancer platform ‘Fiverr’ have been linked to these websites. The credibility of these listings are questionable.
With indorummy[.]net and vc99[.]net, amongst its other variants appearing on browsers commonly from poisoned results, our investigation extended to their DNS Records.
What is alarming about this method used by the threat actors is the sheer scale of their infrastructure. We were able to identify 12 associated IP addresses, with multiple domains having the prefix ‘bet’, ‘rummy’, or ‘vip’, pointing towards rummy/investment platforms and siphoning off with people’s hard earned-money.
NOTE: The 104.21.x.1 range is used by Cloudflare as part of their proxy and DDoS protection service. When a website uses Cloudflare, the A records typically point to Cloudflare's IPs instead of the website's actual server. Cloudflare then routes traffic to the real destination while filtering malicious requests.
The presence of multiple A records in the same IP Range indicates that the domains are using multiple IP addresses for load balancing, redundancy, or performance optimization. For example’s sake, domains sharing the same IP range have been highlighted in the table below:-
One common issue is the presence of lax security measures within these ASNs, making them attractive targets for cybercriminals who exploit vulnerabilities and host malicious content. Additionally, some ASNs allow users to register services anonymously, providing a conducive environment for malicious actors to operate without easy identification.
Some of the ASNs that we were able to identify associated with the campaign and have been reported for phishing, malware, etc. are as follows:
During our research, a Linkedin post came to our attention wherein a similar campaign was unfolding in Malaysia around four months ago, where Government websites were being backlinked to Rummy and Casino websites.
It further goes on to establish the truth that insecure infrastructure will always be immune to unethical activities, if secure coding practices and failure to safeguard critical infrastructure is not followed. This is not an isolated incident.
For Authorities and related personnel
Security Infrastructure Improvements
Website Monitoring
For Users
General Security Awareness
Financial Protection
Pubic Awareness