This post is also available in:
Our research team analyzes how illegal gambling platforms hijack government domains in Brazil to manipulate search engine results. In addition, we explain the risks to the regulated market and even public trust in government sources, highlighting solutions to prevent cloaking.
What Is Cloaking?
In SEO jargon, cloaking is a technique for displaying clandestine content under trusted domains. The purpose is to deceive search engines that cannot detect whether the page actually belongs to the given URL or not.
In other words, cloaking interferes with search engines’ criteria mechanisms by pushing illicit content. While the scam is not detected by search engines, the content is otherwise visible to users on search results pages (SERPs).
To maximise their reach, offshore operators also use cloaking to hide illegal gambling sites under the official domains of government agencies or city councils. Thus, licensed operators who have migrated to the bet.br domain are affected by this malicious practice. By using this hacking technique, offshore operator content manages to rank alongside them in searches, resulting in a number of challenges.
Firstly, cloaking fuels the unethical competition from offshore operators who don’t pay taxes. Secondly, it is feeding the proliferation of illegal online casino sites, adding to the burden of the Secretariat of Prizes and Betting – SPA.
Yet the social and political implications of cloaking are manifold. On the one hand, it puts citizens at risk, especially minors. After clicking on seemingly reliable links, customers are lured into offshore casinos that disregard Responsible Gambling principles, among many others. On the other hand, cloaking has the potential to undermine public trust in government sources.
This study therefore addresses the methods used by hackers and the damage they cause to the regulated market, whilst focusing on measures to combat cloaking.
How cloaking impacts the regulated market
According to ENV Media’s user experience research, the top 13 licensed Brazilian brands stand out for fast, easy registration, effective KYC checks and Responsible Gambling policies.
Source: User Journey in Online Casinos and Sports Betting Sites – ENV Media
Unlike offshore operators, licensed gambling brands therefore comply with the regulation, provide secure transactions, as well as instant deposits and withdrawals, friendly interfaces and a wide range of certified games.
However, the regulated market remains under constant attack from the spurious tactics of the illegal operators. Cloaking is one of them.
As high domain authority leads to better positions in the SERPs, government websites are often targeted by offshore operators for their relevance. Thus, the cloaked content manages to rank in the top page results, which would otherwise require great investments and expertise in search engine optimization (SEO) techniques.
Good SEO practice, in turn, means complying with Google’s content policies. It also involves providing relevant, trustworthy sources for searches. On the contrary, hackers include casino and sports betting keywords in their hidden content, and even the names of the licensed brands themselves to push their illegal sites.
Below, a screenshot taken on March 28, 2025, shows a snippet of an illegal casino link placed under the domain of the prestigious Federal University of Pernambuco. It featured in Google’s first search results page for the popular keyword ‘Tigrinho’, which is how Brazilians nicknamed the slot game Fortune Tiger:
Source: Google SERP for the keyword ´Tigrinho´ (Fortune Tiger)
When clicking on the actual domain itself, rather than the snippet, the university’s website is under maintenance. But even if it were fully functional, it couldn’t possibly officially host the cloaked page described in the snippet, which redirects elsewhere.
Source: Federal University of Pernambuco’s website.
Thus, a click on the snippet led to an offshore platform that promised payment in exchange for registration, again, seriously violating the law.
Source: Google SERP for the keyword ´Tigrinho´ (Fortune Tiger)
On a scale from 0 to 100, Domain Rating is one of the key metrics in SEO. DR estimates the reputation of a website in terms of backlinks. It therefore measures the site’s authority based on the number of times its content is linked to by other quality sites. As DR values quality and relevance, Google will otherwise penalise sites that use paid link schemes. Sites that violate these policies are relegated to the last result pages, losing visibility.
In contrast, sites deemed reliable by Google’s automated systems – including its bots and ranking algorithms – are more likely to rank first in the SERP. Hence, government websites are targeted for their high DR. As an example, we have analyzed the website DR of the Federal University of Pernambuco with Ahfrefs. The university´s website ranked 76, accounting for 5.3 million backlinks:
Source: Ahrefs
When analyzing the cloaked link https://www.ufpe.br/tigrinho:-nova-funcionalidade-de-apostas/g0000109n2.htm , it also ranked 76 as well due to its illicit presence in the institution´s domain.
Source: Ahrefs
Additionally, when we used Moz Authority Checker to look at the most used keywords related to the university, the results were staggering. Just 2 casino-specific keywords accounted for 3,950 searches, as opposed to only 120 searches for academic-related keywords.
Source: Moz Authority Checker
The cloaking activity is so intense that if we add the university’s acronym UFPE to the keyword Tigrinho, Google returns 20 results in the first 2 SERPS:
Source: Google SERP for the keywords ´Tigrinho + UFPE´
To further illustrate the problem, searches for the keyword Tigrinho (blue) also peaked on March 28, surpassing the interest in the keywords Tigrinho Game (red) and Fortune Tiger (yellow).
Source: Google Trends, March 2025
Although cloaking violates Google’s spam policy and is subject to removal from search results, the fact is that cloaked domains, just like illegal gambling sites themselves, spread like wildfire.
In 2023, Google reported blocking or removing over 5.5 billion ads for violating its policies globally. Assuming if at least 1% to 2% of that total was due to cloaking, then it would have accounted for an estimated 55 to 110 million removed ads.
But given that Google has been fighting cloaking approximately since 2016, it’s unlikely to go away anytime soon.
How does cloaking work?
As with any other sort of malware, hackers exploit cybersecurity breaches to cloak URLs. These include outdated plugins on content management systems such as WordPress, weak admin passwords or unpatched servers – computers that haven’t been updated with the latest security fixes.
Once inside the system, creating a new file or subpage on the domain server is the next step. For example, using a fictional domain, this file would look like this: http://www. university.edu.br/wp-content/uploads/casino-bonus.php.
Next, hackers may run a php script that shows casino ads to search engines bots while redirecting users to a different domain. These scripts may seem as basic as illustrated bellow:
Php, which stands for Hypertext Preprocessor, is a programming language for building dynamic websites. It is used to allow the system to decide what content is displayed to different visitor types when clicking on the index.php page.
Another way hackers hijack links is to host APK files or links to their shady websites into public subdomain folders. They may also use other programming languages – such as Javascript – to trigger the redirects or insert the keywords into the HTML pages.
It is important to highlight the difference between PHP and Javascript cloaking. PHP cloaking works on the server side – meaning the hackers manipulate the link structure before it reaches the users’s browser, making it less obvious for both users and security tools to identify the hijacking.
Javascript, on the other hand, works on the user’s side. It dynamically changes the content shown to the users, but does not hide it from the server – meaning the client can be redirected to the hijacking link eventually, depending on their actions.
In order to bait users, the steps are as follows:
- Identifying whether the visitor is a human or a bot.
- Redirecting humans to offshore casino sites.
Therefore, while search engine crawlers like Googlebot see a page hosted at the high-authority domain, humans see illegal casino websites.
With Google also offering videos as search results, illegal gambling ads disguise as videos under official domains as an alternative to ranking first.
The municipalities of Santo André (São Paulo) and Vitória (Espírito Santo) are among those targeted. They are followed by federal institutions such as the National Institute of Historical and Artistic Heritage (IPHAN), the Chico Mendes Institute for Biodiversity Conservation (ICMbio) and the Federal Institute of Education, Science and Technology of Southern Rio Grande do Sul (IFSUL).
Source: Google videos SERP for the keyword ´Tigrinho´ (Fortune Tiger)
However, by clicking on a fake video thumbnail, allegedly published by the municipality of Santo André, users will not be directed to YouTube, but to an illegal casino that has not yet been blocked by the SPA.
Fortunately, in addition to reporting to Google, there are cybersecurity measures that can prevent a domain from being cloaked by criminals.
Tactics to fight cloaking
While some institutions are still struggling and redirecting to illegal platforms, for its part, IPHAN has managed to block the infringing links as follows:
Source: Google video SERP for the keyword ´Tigrinho´ (Fortune Tiger) and IPHAN’s website.
As can be inferred from the screenshots, either through monitoring or public reporting, IPHAN has detected and removed the cloaked pages. The cloaked pages now return an HTTP 404 error.
Nevertheless, as there is no content left to be found neither by humans or bots, Google will eventually remove the page from its SERPs.
To expand on the cybersecurity actions capable of stopping cloaking, our research team has compiled a set of actions as described below:
| Cybersecurity Measure | Description |
| Keeping systems updated | Regularly updating CMS plugins, themes, and software. |
| Monitoring file integrity | Monitoring for suspicious file changes or the appearance of new .php or .js scripts. |
| Monitoring traffic and logs | Reviewing access records for suspicious behavior, user-agent tampering, or cloaked URL access. |
| Scanning for cloaking | Comparing content displayed to both humans and bots, checking for SEO disparities. |
| Restricting file uploads | Restricting upload directories and file types, blocking .exe files unless fully authenticated. |
| Scanning server-side malware | Scanning regularly for webshells, cloaked content and malware. |
| Monitoring Google Search Console | Tracking indexing inaccuracies, suspicious keywords, and manual action reports. |
| Implementing content security policies | Adding headers to restrict scripting sources and verify loaded resource integrity. |
| Locking .htaccess and redirects | Monitoring and restricting redirection rule changes, especially user-agent conditions. |
| Installing a web application firewall (WAF) | Employing security services to block cloaking attempts based on behavior. |
| Reviewing third-party code | Reviewing the behavior of ads, analytics, and embedded scripts regularly. |
Without forgetting the use of password management applications to increase security, constant monitoring is therefore key to preventing domains from being hijacked.
Engaging Brazilian Authorities in the Fight Against Cloaking
Obviously, every single business on the planet needs to ensure an online presence in order to thrive. To achieve this, companies need to understand not only search engine and social media ranking criteria, but also security policies. So do government agencies and institutions.
However, as with identity fraud targeting well-known brands and products online, federal agencies and municipalities also fall victim to malicious practices. In the case analysed here, by offshore gambling platforms looking to make a dishonest profit.
In order to coordinate actions, manage risks and strengthen resilience across the public and private sectors, Decree No. 11,856/2023 created the Brazilian National Cybersecurity Policy (PNCiber) and the National Cybersecurity Committee (CNCiber).
However, when it comes to cloaking, there is still a lack of a consistent cybersecurity policy for public authorities at federal and local levels, both to protect citizens and to create a level playing field for licensed operators.
Cloaking has disastrous social, economic and political implications. Not only does it pervert competition and undermine public trust, it also compromises the viability of a taxpaying, regulated market that plays by the rules.
It is therefore of paramount importance that efforts are made at the federal, state and local levels to detect official cloaked domains leading to offshore gambling platforms.
Combined with the measures taken by the SPA to suffocate the operations of offshore casinos in Brazil, converging efforts at all levels of public administration could maximise overall strategies against illegality.
