Black Hat AI Search Is Real. Here Is the Proof.

Black Hat AI Search Is Real. Here Is the Proof.

> We asked Google a basic health question. Its AI cited a Colombian medical journal as a trusted source. That citation was a hijack, and clicking it sends a real person to a weight-loss drug funnel. This is not a theory about what could happen to AI search. It is a documented case of what is already happening.

AI search manipulation is usually discussed in the abstract. This piece is a single, fully traced case: the search, the citation, the mechanism, and the evidence that it is not isolated. Every claim was verified by hand against live pages and cross-referenced with publicly documented vulnerabilities.

Watch on YouTube if the embed does not load.

What we found

Searching ozempic without insurance, Google's AI Overview returned the usual trusted sources: GoodRx, Sesame, Drugs.com. Sitting among them was a citation card for revistainfectio.org, the site of Infectio, a real, Scopus-indexed infectious-disease journal published by the Colombian Association of Infectious Diseases.

A medical journal appearing as a source on a drug-pricing question looks credible. That is exactly why it works.

Click that source and you do not reach a journal article. You reach a blank PDF viewer that immediately redirects you to a GLP-1 telehealth shop promising you can drop 40lbs by August, with plans starting at 149 dollars and a fake "only 9 spots left" countdown.

Google indexed and cited helpful-looking pharma copy from a trusted medical domain. A human who clicks gets the empty shell and the sales funnel. The page Google trusted and the page a person sees are not the same page.

The mechanism

This is a known exploit chain, and the journal is the victim, not the culprit.

Open Journal Systems is the open-source platform that runs thousands of academic journals worldwide. It contains a documented open-redirect vulnerability in its signOut function, where an attacker manipulates the source parameter to forward a visitor to any external domain. Attackers chain it with a PDF.js vulnerability, CVE-2024-4367, to abuse the journal's PDF viewer.

The result is a parasite page that lives on the trusted journal domain, at a path like /plugins/generic/pdfJsViewer/pdf.js/web/viewer.html. It loads the viewer, logs the visitor out, and redirects them onward. The crawler-facing version gets indexed as legitimate journal content. The human-facing version bounces to the offer.

We confirmed the link directly. The same tracking token appears in both the journal URL and the final shop URL. That shared token is not a coincidence. It is the redirect funnel, traced end to end. Our automated probe flagged it the moment it compared what Google had indexed against what the live page actually serves: a content-similarity score of zero.

Why it works on AI

Classic cloaking fools a ranking algorithm into ranking a page. This is one level deeper.

The attacker does not need their text to be the answer. They need the hijacked journal admitted into the trusted source set, the pool of citations the AI vouches for. Once a respected academic domain is in that set, the AI presents it to the user as credible, sitting beside GoodRx and Drugs.com. The manipulation targets the trust layer, not the answer text.

This exploits a weakness Google's AI surfaces already have, where self-proclaimed authority and manipulative content get cited as credible. Here, the authority is real. It was just stolen — a cousin of the Wikipedia-to-AI fact pipeline brands already worry about, but with outright domain hijack instead of editorial error.

This is not one journal

Our probe found the identical pattern across multiple compromised journals, each with its own attacker redirect domain and its own tracking token. This matches what publishers report: attackers run automated scripts that scan for vulnerable OJS installations at internet scale and hit every one that matches, because academic domains carry the trust signals that make them valuable for exactly this kind of spam.

This is a coordinated, automated campaign laundering affiliate offers through the borrowed authority of academic medicine, and it has reached the AI answer layer.

The part that should worry every brand

Google has spent twenty years building defenses against this. Its spam enforcement runs through SpamBrain, an AI-based prevention system, and in June 2026 Google extended it explicitly to cover manipulation of AI-generated answers. The most experienced, most defended search system on earth, with policies written for this exact problem, still cited a hijacked medical journal in its AI Overview.

If Google missed this, consider the engines with two years of experience instead of twenty. ChatGPT, Perplexity, and Gemini are pulling from the same open web, citing the same kinds of sources, with far less mature spam defense. The trust layer they all depend on is being poisoned, and almost nobody is measuring it.

Black hat SEO did not die. It moved to the layer that now answers the question for you, and it got harder to see, because there is no list of ten blue links to inspect. There is one confident answer with a citation that looks legitimate.

How you actually see this

You cannot catch this from the human-facing web. The page looks fine to you because you are not the crawler. Detecting it requires comparing what the engines have indexed and cited against what the live page actually serves, across every engine, continuously. That gap, between what AI vouches for and what is really there, is invisible to traditional analytics and is precisely what AIVO, AI Visibility Optimization, exists to measure.

If your brand is being out-cited in AI answers, the cause might not be that a competitor earned it. It might be that someone manufactured it. First-party citation dashboards help on one slice of the board; the full picture still needs cross-engine comparison like the 2026 measurement stack. The only way to know is to look at the layer most tools ignore.

> Book a meeting with our team to see what AI engines are citing about your brand, and whether any of it is being manufactured: calendar.app.google/9LzRetjWfRrD1wZLA

This investigation was conducted by AIVO, AI Visibility Optimization. Findings were verified by hand against live pages and cross-referenced with publicly documented vulnerabilities.

How we verified this

• We ran an automated probe across high-intent GLP-1 search queries, comparing each result's Google-indexed view against what the live page serves a human.
• The Infectio result was flagged automatically (index-vs-human content similarity of zero) and then confirmed by hand with side-by-side screenshots.
• The redirect funnel was traced end to end via a tracking token shared between the journal URL and the final shop URL.
• The underlying vulnerabilities are publicly documented (OJS signOut open redirect; PDF.js CVE-2024-4367) and corroborated on PKP's own community forum.

FAQ

Q: Is black hat SEO still a thing in the age of AI search?

A: Yes, and it is migrating to AI surfaces. Google updated its spam policies in May 2026 to explicitly classify attempts to manipulate AI-generated answers as spam, which only happens when a tactic is already widespread.

Q: Can Google's AI Overview be manipulated?

A: It already is. Documented cases show AI Overviews citing self-proclaimed authority and manipulative content as credible sources. Our investigation adds a more severe version: a hijacked academic journal cited as a trusted health source.

Q: Why would a medical journal show up for a weight-loss query?

A: Because its site was compromised. Open Journal Systems has a documented open-redirect vulnerability that attackers exploit to host redirect pages on the journal's trusted domain, borrowing its authority to rank and get cited.

Q: How do you detect AI citation manipulation?

A: By comparing what each AI engine indexes and cites against what the live page actually serves, continuously and across engines. A large gap between the two is the signal.

Key Takeaways

• AI Overviews can cite compromised academic domains as peers to household health brands — credibility by association, not by content quality.
• Crawler-facing and human-facing experiences diverge on the same URL; side-by-side screenshots are not enough without index-vs-live probes.
• OJS + PDF.js redirect chains are documented, repeatable, and automated at scale against journal infrastructure.
• SpamBrain and 2026 AI-spam policy updates did not prevent this live citation — younger AI engines face the same trust-layer risk with less history.
• Detection lives in the measurement gap between what AI cites and what users receive — the layer AI visibility tooling is built to watch.

Sources

• OJS Spam Indexing Investigation: Open Redirect + PDF.js CVE-2024-4367 — PKP Community Forum: https://forum.pkp.sfu.ca/t/ojs-spam-indexing-investigation-open-redirect-pdf-js-cve-2024-4367/98414
• OJS 3.4.0.8 pdfJsViewer plugin security — PKP Community Forum: https://forum.pkp.sfu.ca/t/ojs-3-4-0-8-pdfjsviewer-plugin-security/98407
• OJS signOut open redirect vulnerability listing — Vulmon: https://vulmon.com/searchpage?q=open+journal+systems
• Forensic Assessment of OJS Server-Side Compromise (cloaking component): https://www.researchgate.net/publication/402111959
• Why academic domains are targeted — OpenJournalTheme: https://openjournaltheme.com/ojs-security-services-protect-academic-journal/
• Growing spam problem in Google AI Overviews — Search Engine Land: https://searchengineland.com/google-ai-overviews-growing-spam-problem-455402
• Google spam policies apply to AI Overviews and AI Mode — Search Engine Land: https://searchengineland.com/google-updates-search-spam-policies-to-clarify-it-applies-to-generative-ai-responses-477657

---

Author: Sebastian Pinzon is Co-Founder of AIVO, the AI Visibility Intelligence Platform. After 15+ years in digital marketing at Publicis, WPP, and Omnicom, he helps mid-market brands measure and improve their presence across ChatGPT, Perplexity, Google AI Overviews, and Claude.

Connect on LinkedIn | tryaivo.com