Executive Summary

Indian Government websites, Educational Websites and well-known Financial brands have been affected in scale, by SEO Poisoning, leading to user traffic being redirected to sketchy websites promoting rummy, and other investment-focused games. In this advisory, we will be discussing the techniques utilized to mislead Indian Internet users, when performing searches to clear their queries.

Overview

In a recent development, analysts at CloudSEK have discovered the much maligned use of black hat Search Engine Poisoning by threat actors, to push Rummy and Investment focused websites to unsuspecting users. Targets of interest include websites with .gov.in , .ac.in TLD’s and usage of keyword stuffing mentioning well known financial brands in India. Over 150 government portals, most belonging to state governments, have been affected at scale.

What is Search Engine Poisoning?

Search engine poisoning refers to malicious practices aimed at manipulating search engine results to promote harmful or deceptive content. These tactics are typically employed by cybercriminals to redirect users to fraudulent websites, distribute malware, or launch phishing attacks.

Techniques in play:

• Referrer Header Manipulation - Referrer header manipulation is a technique used by malicious actors to disguise the source of a request. This can be done using script injection into the website’s source code. A tactic that can be classified under cloaking.

• Cloaking - Cloaking is a technique in which a website shows different content to search engines and human visitors. The purpose of cloaking is to deceive search engines and manipulate rankings by presenting content that is optimized for certain search engines but not visible to users, using a certain user agent.

• Keyword Stuffing : Cybercriminals target trending keywords or events (e.g., breaking news, popular products) and create malicious websites optimized to rank high in search results.

• Backlinking - Backlinking in blackhat SEO refers to the practice of obtaining backlinks through manipulative means in order to artificially boost a website's search engine rankings. This can include tactics such as link farming.

• Underlying system Vulnerabilities - Threat actors can possibly exploit underlying vulnerabilities in  systems such as CMS’ hosting web content to create directories and host content on them like files with .shtml and .html extensions. However we haven't been able to pinpoint the exact vulnerability that is being exploited.

How do Rummy and Investment Focused Games come into the picture?

Rummy games have a rich history and have grown immensely popular in India, both offline and online. The advent of online gaming platforms has further boosted its popularity. With access to smartphones, affordable internet, and the convenience of playing from home, rummy games have found a massive audience in India. 

Additionally, platforms offering cash prizes and tournaments have made it even more enticing. However, while it provides entertainment and opportunities to win, the financial risks can’t be ignored. Many players overestimate their abilities and continue to bet/invest on higher amounts, leading to losses. The desire to recover losses, known as "chasing losses," often traps players in a cycle of increasing bets.

Voicing Concern on Social Media

Ever since the unfolding attack scenario was highlighted on X (formerly Twitter) last year, a handful of similar posts have appeared on platforms such as Linkedin, X and the news outlet TechCrunch.

‍

‍

‍

‍

Technical Analysis

Intertwining Referer Header Manipulation & User Agent Cloaking : Real Time Technique Utilization

Inspection of the source code, on one of the Indian Government websites affected, shows a Javascript snippet. The functionality of the code snippet is as follows:-

1. It retrieves the referrer of the current document (i.e., the URL of the page that linked to the current page) and converts it to lowercase.

2. It sets up an array containing strings of User-Agents (in this case, "IPhone." and "Android.").

3. It loops through the array to check if the referrer contains any of the specified search engine strings.

4. If a match is found and the user is identified as being on a mobile device (using a regular expression that checks the navigator.userAgent), it redirects the user to "https[:]//yono-allslots[.]com/".

In this case, "https[:]//yono-allslots[.]com/" redirects to indorummy[.]net, another rummy game website.

‍

‍

To explore if this is really possible, a search was run using the dork “rummy” site:*.gov.in, and the logic of the script was analyzed, using Google Developer Tools, and by changing the device type. 

‍

‍

The script was working as intended and it goes on to demonstrate how stealthily threat actors are operating, in a way that more than meets the eye.

When checking the script, it is evident that an exception is made for Desktop-based browsers, where users would rather be shown a 404 Error Page, when clicking on similarly doctored results. This is a case of user agent cloaking in practice.

In other cases, it is more direct, wherein a landing page depicting the rummy website in question loads up after the preloader touches 100%. This is aided using redirection, using Javascript and the same content reflects, irrespective of user agent.

‍

‍

‍

‍

How is code being injected into websites?

A possible answer to this would be the exploitation of File Upload functionality within websites combined with Javascript code Injection, possibly utilizing stored XSS in the process. We state this with medium confidence.

As mentioned above, during our analysis when analyzing more websites, it was found that an abundance of files with extensions “.shtml”, “.html” and “.aspx” extensions were seemingly uploaded to non-existent directories, within affected websites (indicated by the search result URL). However we haven't been able to pinpoint the exact vulnerability that is being exploited.

‍

‍

As we know, .shtml, or Server Side Includes (SSI) files, are HTML files that include server-side scripting commands that are processed by the web server before being sent to the client's web browser. This can indicate that redirection code could be injected in these files

These files get removed upon reporting - by utilizing Google’s Webmaster Tool,  but get cached and show up as results by Google’s indexing mechanism, often reflecting the redirected website’s content on search results.

‍

‍

Keyword Stuffing: Real Time Technique Utilization

In a particular case of client query investigation, we uncovered a series of spam websites having the keywords of a National Public Sector Bank and its Banking Application stuffed into the frontpage, promoting rummy games. 

When delving deeper into these websites, it was discovered that the websites were targeting more Indian companies in the financial sector and had utilized the template of other similar websites, geared towards promoting Indonesian casino games.

‍

‍

With an eventual course of progression if not stopped in its tracks, the threat of customers being swindled can loom over other organizations, other varied industries

Website Content targeted towards Key Search Terms

Taking the screenshot provided below as an example, we can see that keywords such as loan and card application, targeted for bank queries have been stuffed into the webpage, making users land on such untrusted pages and proceeding to see text enticing users to partake in rummy games.

‍Keyword Stuffing: The source of such text are from digital ads commissioned by the bank in question, promotional text from their websites and an amalgamation of common queries from the customer pool, for example, taking queries where customers seek instant personal loans, with low interest rates.

‍

‍

In one particular instance, a template message pushing phishing links from Mobile SMS’ were discovered on a webpage

‍

‍

The impersonating domains create webpaths targeting companies, and the page titles are also tailored to match the company name

‍

‍

Below is an example of text stuffing, using a subdomain address belonging to the Government of Telengana, on a similar page pushing rummy games.

‍

‍

Interconnected Web Pages: Referred to as "Link Farms," this involves creating multiple web pages that are linked together to increase incoming links and boost a website's ranking. Upon further checks, it was found that attempts to play these games lead to a website named “teenpattionline.game”/ teenpatti.com , offering a trove of games involving betting to gain rewards.

Inside these games

These rummy games, packaged under various names, follow an approach akin to investment scams, as illustrated below:

‍

‍

Upon further checks, it was found that attempts to play these games lead to a website named “teenpattionline.game”, offering a trove of games involving betting to gain rewards.

Why do users get enticed by such games?

Benefits offered by games

1. Referral Bonus: For every referral, a user receives a nominal amount ranging from Rs 20 - 80, thereby pulling more individuals to the cusp of gambling and possible financial ruin. New logins from the same device are not counted towards this.

‍

‍

2. Login Bonus: These games offer paltry rewards for daily logins, making it an interesting prospect to lure in people’s attention and prompting them to spend daily on games

‍

‍

VIP User Base Structuring

This is a concept seen in most Pig Butchering / Ponzi Scam Models, where users that tend to invest more to get better rewards, are classed under VIP Levels. Higher the VIP Level that you are classed under, higher are the chances of the individual being scammed

‍

‍

Correlation to Color Prediction Scams

During more analysis, a new route to scam individuals out of money could be brewing, with the aid of color prediction games. 

From our previous research on this scam type, games and domains impersonating prominent companies offer opportunities to place bets and receive monetary rewards, for predicting the right color.

The scam is similar to the Ponzi/ pyramid scheme, where the money collected from new players/ investors is used to pay profits to early adopters/investors.

To Note: The possibility of such games being promoted in the future, is merely stated as a possibility, with the existence and fraudulent nature of such games being relevant and being able to siphon large amounts of money.

‍

‍

Challenges with spam SEO Pages

• Removing spam SEO pages is difficult due to their sheer volume and the speed at which they are created. Many operate across multiple domains, making it challenging to track and eliminate them completely. 

• Organizations struggle with spam SEO as it diverts traffic from legitimate content, affecting visibility and revenue. 

• False positives in spam detection can lead to legitimate content being mistakenly flagged, creating additional risks. Legal action against spam operators is often slow and costly, with little guarantee of success. Moreover, maintaining trust with users becomes difficult as spam undermines brand reputation and credibility

Exploring Backlinking ties

During our analysis on one suspect rummy game website, i.e. indorummy [.]net, it was found that the website had connections to employing back linking services. The website was additionally found to be listed amongst others on Link Farm websites.

‍

‍

To provide more context, here’s how these link farms help rummy websites, or any dodgy website utilizing their services:-

Boosting Search Rankings:-

• Backlinks are a key ranking factor in Google’s algorithm. Having many links from different domains can trick search engines into thinking "indorummy.net" is an authoritative site.
• This can artificially boost rankings in search engine results pages (SERPs).

Domain Authority (DA) Manipulation:-

• Some links are from sites offering "DA Increase Services” , which suggests that backlinks were purchased.
• These services aim to inflate a website’s domain authority (DA) using spammy backlinks.

Increased Indexation & Crawl Frequency

• Search engines discover new websites through backlinks.
• Link farms force search engines to crawl "indorummy.net" and similar sites more frequently.
• Some of the referring sites can possibly help generate fake referral traffic.

‍

‍

Insights from the graph:-

• Sudden Growth: Around November 2024, there was a dramatic spike in both metrics:

• Backlinks increased to around 33
• Referring domains grew to approximately 15

• Sustained Level: After the spike, both metrics appear to have stabilized at their new higher levels through February 2025, suggesting that the growth wasn't just a temporary anomaly.

• Parallel Growth: The growth in backlinks and referring domains occurred simultaneously, indicating a coordinated SEO effort or a significant event that triggered multiple sites to link to the content at once.

A common Telegram handle was found to be linked within these websites for Backlinking consultation. The handle has since been inactive. Additionally, services on the freelancer platform ‘Fiverr’ have been linked to these websites. The credibility of these listings are questionable.

‍

‍

‍

Infrastructure

With indorummy[.]net and vc99[.]net, amongst its other variants appearing on browsers commonly from poisoned results, our investigation extended to their DNS Records.

What is alarming about this method used by the threat actors is the sheer scale of their infrastructure. We were able to identify 12 associated IP addresses, with multiple domains having the prefix ‘bet’, ‘rummy’, or ‘vip’, pointing towards rummy/investment platforms and siphoning off with people’s hard earned-money. 

NOTE: The 104.21.x.1 range is used by Cloudflare as part of their proxy and DDoS protection service. When a website uses Cloudflare, the A records typically point to Cloudflare's IPs instead of the website's actual server. Cloudflare then routes traffic to the real destination while filtering malicious requests.

The presence of multiple A records in the same IP Range indicates that the domains are using multiple IP addresses for load balancing, redundancy, or performance optimization. For example’s sake, domains sharing the same IP range have been highlighted in the table below:-

Table 1 - Details of ASN’s and websites associated  with the blackhat SEO Campaign

‍

One common issue is the presence of lax security measures within these ASNs, making them attractive targets for cybercriminals who exploit vulnerabilities and host malicious content. Additionally, some ASNs allow users to register services anonymously, providing a conducive environment for malicious actors to operate without easy identification. 

Some of the ASNs that we were able to identify associated with the campaign and have been reported for phishing, malware, etc. are as follows:

Table 2 - General Reports for ASN’s

‍

Tentacles of Blackhat SEO, on Malaysian Government Websites

During our research, a Linkedin post came to our attention wherein a similar campaign was unfolding in Malaysia around four months ago, where Government websites were being backlinked to Rummy and Casino websites.

‍

‍

It further goes on to establish the truth that insecure infrastructure will always be immune to unethical activities, if secure coding practices and failure to safeguard critical infrastructure is not followed. This is not an isolated incident.

Mitigation

For Authorities and related personnel

Security Infrastructure Improvements

• Implement strict file upload validation and restrictions.
• Regularly scan for unauthorized HTML/SHTML files.
• Monitor and restrict script injection capabilities, by embracing input validation.

Website Monitoring

• Regularly audit website content and backlinks.
• Set up alerts for unauthorized domain references.
• Monitor search engine results for suspicious listings.
• Use Google Search Console to identify and remove malicious backlinks.

For Users

General Security Awareness

• Verify website URLs before clicking, especially for government sites.
• Be cautious of search results promoting gaming or betting.
• Don't trust websites just because they appear in top search results.
• Use official mobile app stores only.

Financial Protection

• Never provide banking details to unknown gaming platforms.
• Be wary of “too good to be true” money making offers.
• Avoid participating in unregulated gambling activities.

Pubic Awareness

• Issue public advisories about known scams, to embrace a citizen-first mentality and instill a sense of accountability and awareness.
• Provide reporting mechanisms for the public.
• Warn customer base users about SEP-promoted games by distributing advisories on identifying phishing or fraudulent gaming platforms.

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia
• Indian government websites are still redirecting users to scam sites - TechCrunch
• How Scammers Are Outsmarting Google | Hacking of Government Websites - Amit Tiwari (YouTube)
• Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites - CloudSEK Research Blo

Appendix