The company does not disclose which pages took part in the scheme or whether they were regular or irregular betting sites. This illegal service operates through a virus called Ghost Redirector, which compromised at least 65 internet servers in 11 countries, most of them in Brazil.
The practice violates Google’s terms of use, which can penalize websites by excluding them from search results or reducing their relevance if it detects fraudulent practices against its ranking system, known as SEO (search engine optimization). The number of pages resorting to fraud also exceeds the 182 websites authorized by the Ministry of Finance to operate in Brazil.
The malicious program works in two modules. The first opens a breach in the server, allowing criminals to edit the code and execute commands. Then, another module, named Gamshen, detects access from search engine bots, such as Googlebot, in order to provide artificial information aimed at increasing the relevance of selected addresses.
According to Eset, Gamshen makes the compromised page appear better positioned in search results, acting as a sort of “invisible bridge” that benefits betting platforms without the website owner realizing it.
“Ordinary visitors to the webpages do not notice any change, which makes the attack difficult to detect,” the company said in its report. This way, hacked servers become silent tools to promote betting sites, while the reputation of the original domain risks being linked to suspicious SEO practices.
“Although Gamshen only modifies the response when the request comes from Googlebot, participation in the SEO fraud scheme can damage the compromised site’s reputation by associating it with questionable SEO techniques,” said Eset researcher Fernando Tavella, who discovered the scheme.
The identified servers serve different sectors, including education, healthcare, insurance, transportation, technology, and retail. Most of the compromised servers in the United States were rented by companies based in Brazil, Thailand, and Vietnam, indicating a focus on victims in Latin America and Southeast Asia.
The investigation showed that the criminals managed to access the servers by exploiting security flaws, such as vulnerabilities in databases.
The Ghost Redirector attacks were recorded between December 2024 and April 2025. A scan conducted in June of the same year revealed new victims. Eset stated that all affected companies were notified.
Responsible for overseeing the betting sector in Brazil, the Ministry of Finance says its focus this year is to ensure that licensed companies comply with regulations and to combat the illegal market.
According to the Secretariat of Prizes and Betting (SPA), the National Telecommunications Agency (Anatel) took down 15,463 illegal betting pages between October 2024 and last August.
In addition, the SPA reported that 17.7 million Brazilians placed bets on the websites and apps of the 182 companies authorized by the Secretariat.
Source: Folha
