NOKEScam: Understanding and Rectifying Non-Sense Keywords Spear Scam in Search Engines

NOKEScam (NOn-sense KEyword Spear scam) is an emerging fraud technique. NOKEScam uses uncommon and usually non-sense keywords (NSKeywords) as vectors to lure victims without complex Black Hat SEO techniques. The obscure NSKeywords ensure the top search results as only NOKEScam pages are exactly matched, misleading victims into trusting them. NOKEScam severely impacts victims and search engines, but its uniqueness has hindered prior research and efficient detection methods.

In this paper, we report on joint work with a leading Chinese search engine to combat NOKEScam. Based on an empirical study, we identified three key observations and developed a lightweight detection system. This system can process about 2 billion URLs within one hour. Over seven months, we identified 153,975 NSKeywords across 68,863 domains. Our measurement demonstrated that leveraging search engine trust endorsement, NOKEScam websites attract an average of over 30k page views daily, indicating significant fraudulent profit potential. Driven by this, attackers persist despite search engine crackdowns, employing evasion tactics like using more domain names. Despite these tactics, our detection system remains effective, significantly suppressing the impact of NOKEScam, with a 194-fold reduction in real-world user complaints. Our findings reveal emerging fraud activities and offer valuable governance lessons for the security community.