I was researching the niche on one of my new domain purchases, 24hrloans.co.uk, and guess what I found? The internet never ceases to amaze me.

A Picture is Worth 1000 Words. Click to see it in detail

Thoughts?

Dont tell me how dodgy it is, tell me how they did it. I have covered it before, so you should know.  See the site for different serps, see the site for direct URL type in. If you really havent got a clue have a look at: Pills Link Hacker.

This post is a first for me. First time there is a guest post (well semi-guest) on this site. It also is my first collaboration with one of my favourite Research SEOs Neyne.  Neyne (Real name Branko Rihtman) doesn’t blog very often, but when he does it is always worth a read. This is a two part post, the first by Neyne, with the second part by yours truly.

My last post was about using Wordpress Plugin Flaws to link build, “aka soft hacking”. However what we are about to demonstrate is another opensource CMS, Joomla, has just as big a flaw as WP. We didnt investigate the backdoor, or how it was done, however we do demonstrate the extent to which it works.

Worse Than Blackhat, Meet the Hacker SEO

Just like with “SEO is Dead” debate that raises its lame head in seemingly regular intervals over the past few years, so does its not-so-distant cousin, the “Whitehat vs. Blackhat” debate. There has been one raging on the popular blogs in the last week or so and, just like with its useless relative, this round did not bring any new arguments nor has it convinced anyone on the either side of the argument. However, not often does one get to encounter a true black hat campaign, one that leaves you with no doubt as to whether it is useful or not nor whether it is illegal or not. Thanks to a tip from one of my SEO buddies, I have taken the glimpse into the eyes of the beast, and it ain’t pretty.

Just before we dive in, I want to make something clear. I don’t usually out websites or SEO techniques. I think that outing is a cowardly practice, done by people that are not capable of outperforming others. Or in the immortal words on one of Aaron’s tshirts: “I have a very high tolerance for spammers, but a very low one for weasels”. That said, the techniques outlined in this article are most probably illegal (not a lawyer, so don’t want to be definite on that one). They include hacking into other people’s sites, flagging them as pill-related, squandering their link equity and eventually getting them flagged as compromised in Google SERPs, thus seriously decreasing their CTRs. Asshatery like that should be eliminated and I feel no remorse for doing so.

It all started with an enquiry of the mentioned friend about one of his client’s sites. The site seemed to be OK, nothing irregular about it; however, when looking at the Google cached version of the site, a footer appeared:

Pills Footer

This footer does not appear when the site is visited with Googlebot useragent, so my guess is that this is a case of IP cloaking. The more interesting thing is that none of the sites linked in the footer seem to be V1@6r@ related.  They are regular sites on a wide range of topics. So my first thought was that this is a hatchet job – a slimy SEO company that is trying to ban their competitors by creating thousands of artificial, spammy links on hacked sites. However, when looking at the source code of Google cache of each of the linked sites, a different picture started to emerge. Check out the differences between the <header> element as it appears on the live site vs. how it appears in Google Cache:

Google Cache Header of Haked Site

So my next question was whether these site rank for any of the linked phrases. Almost all of them did. Check out this SERP for [V1@6r@ price] (6600 Global Exact Match monthly searches)

Ranking for V Price

So here came a head scratching part. It seems like someone is hacking into Joomla based sites, planting links in their footer to other hacked Joomla sites, whose header is cloaked to show V1@6r@-related keywords. But what is the point? Why would someone send V1@6r@-relevant traffic to totally unrelated websites? Then I clicked through to the site from the above SERP. This is the site I got:

Now you See It

If you go to the site directly, by typing the URL into the address bar, this is what you get:

Now You dont

So not only are they doing IP cloaking, they are also doing referral cloaking to show all visitors referred from Google SERPs .  Here is a partial list of sites, with their original Titles, hacked Titles, keyword they targeted with footer links anchors and their ranking on Google.com for that keyword:

Partial List of Hacked Sites

There is one thing that is common to all the websites in question – they have been all created in Joomla. Furthermore, it is easy to target them as there is a clear indication they are Joomla based in their header:

<meta content="Joomla! 1.5 - Open Source Content Management" />

**************Investigation Ends******************

Search Volumes for v1@6r@

So Neyne has shown you the what, how and why. Hacking these many sites for those rankings isn’t an easy job, unless you prebuild in hacker doorways as I demonstrated in the WP Plugin Security fail. The only other way to do this is to run a number of brute force scripts on known weak spots of various servers and CMS’s. I want to show you what I learnt from investigating those links with Neyne. Like I said with the JC Penney scenario, when you get a chance to learn, do it.

10 things I Learn From V1@6r@ Link Hackers

1.       Old Spam Tactics still work!

A while ago, I wrote about Spam Tactics, Then and Now, where I identified a number of tactics that still work. This discovery reinforces what I learnt back then, that old spam tactics dont die, they just resurface. And that Google isnt really as sophisticated an algo that people believe it to be.  Some of the points below take this into more detail…

2.       Content is NOT King

None of these sites that we investigated were serving up content that was V1@6r@ related. Of course quite a few had cloaking which meant that some conteant was being shown, but after investigating a number of these sites, not all had redirection or cloaking set up as yet.  And as a result just had links that were doctored.  So why did they rank for these keywords?

Just links. Links, links and more links. What about great content? Nope. Links.

Using Majestic, lets look at what the links could be like:

Look at all those links! (click to view Majestic data)

3.       Anchor Text Over Rules All

Wordle for Links

Relevancy, thematic links, semantic analysis etc etc can all go to pot if you are working with a large scale access to link text manipulation system. Doesn’t matter where they are placed, and doesn’t matter where they came from.

An advanced analysis of the anchors for some of the sites we looked at gave you the wordle above  – you can see how heavy the manipulation is. In raw terms:

Anchor links Count

4.       Footer Links Work

For a while SEOs have been devaluing the relevance of links in footer or common elements – ummm they seem to work.

5.       Sitewide Links Work

Again, we get arguments that the value of sitewide links have been dampened greatly. Not when you are working in volume, as we discovered when we investigated these sites.

6.       Referrer Cloaking still Works.

I think Neyne demonstrated this pretty well above.

Another spam tactic from the past, still live and well.

Scripting, its an Art - this one isnt. (this is a tracking script on one of the sites)

7.       I Need To Set Up Alerts

What really shocked me is that these site owners still haven’t realized that they rank for these keywords. If you suddenly rank for or get traffic from didgy keyphrases, its time to check WTF is going on. Now in the case of user agent redirection, sometimes analytics will not record those visits. But will most certainly show up for high volume impressions if you are signed in with Google Webmaster Tools.  AND they have a malware detection piece on there which is worth looking at once in a while.

8.       I Need To Monitor Catch All Accounts

Google does try and email those sites that they have flagged up :

Site Compromised

Site Compromised on All Accounts

But you need to monitor and even set up catch all email accounts: You can find out if your site has been identified as a site that may host or distribute malicious software (one type of “badware”) by checking the Dashboard in Webmaster Tools. (Note: you need to verify site ownership to see this information.) We also send notices to webmasters of affected sites at the following email addresses for the site:

• abuse@
• admin@
• administrator@
• contact@
• info@
• postmaster@
• support@
• webmaster@

9.       Edu Sites Need some Serious help!

As part of the investigation, I had to scan a large number of SERPs for v1@6r@ related keywords. The most common resulting domain extension? That would be the “.edu”.  Google and/or someone else needs to teach these guys how to secure their sites… It’s not hard to spot the volume of hacking – see this simple query.

Or look at this gem:

edu Ranks for Buy that stuff Cheap

10.   .Gov sites are FUBAR

Another common domain  extension that shows up in the SERPs is the .gov extension.   By the way, did you know google has an old search page that only looks at Government sites? Look what I found through it: http://bit.ly/dOlzKR

Part of understanding Blackhat and Hacker Spam is to put yourself it their mindset. And that means asking “How Can I Use This For My Benefit?”

Well I have been doing a lot of that lately. And one of the genius ideas that I had was full site takeovers. Then I toned it down. And then I thought of smartening it up. And then I thought of scaling it. The result? Well using a simple flaw in Wordpress Plugins, and some clever strategy, I could sit back and game 100,000’s of relevant links to my sites, and control them all from one place.

Do This and Face Some Jailtime (source http://www.flickr.com/photos/morganmorgan)

NOTE: This idea is theoretical, and I HAVE NOT actually developed it any further than having a conversation with a few people, including Joost de Valk, regarding the possibility. All my research indicates, and Yoast confirms it, that it is indeed possible to create something this devilish.  There are other versions, of this idea floating around, which I will cover as well.

Side Note: This is HIGHLY Illegal. Don’t freaking do it.  In fact I am doing blackhat a disservice, this is downright Exploit and Hacking.

Wordpress Plugin Spamming

While back Yoast warned about a really dodgy SEO plugin being pimped out called Blogpress SEO Plugin. He found that amongst other devious things:

Next to that, the plugin is kind of enough to add a link back to itself on your blog’s homepage, in a hidden div of course, because that’s how smart people roll, right? Luckily, that makes it even easier for Google to find all the sites running the plugin and ban them all in one big sweep.

That is the level of control that you could unleash when you install a third party plug-in to your site.

Wordpress Plugins Background Reminder

There are a few things to remember:

• Apart from basic security checks and looking for dodgy programming scripts such as the use of Base 64, not much else is done in the way of security checks.
• Wordpress plugins that are not hosted on worpress plugin depository, aren’t put through ANY paces, this includes “Free” and “Paid” plugins.
• There isn’t a verification program for plugins for legitimacy and safety, and anything you install is at your own risk.
• Just because you have used a plugin for years, doesn’t mean that a new update is automatically safe to install.
• Once a plugin is installed, It can do ANYTHING to your site. Remember the Blogpress SEO example above.

The Concept – Control A Link Inventory

Link To Me! (source http://www.flickr.com/photos/hoyvinmayvin/4116728906/)

So I questioned myself on what I wanted to do. Here I am talking to myself:

• What we want: Links
• What type of Links: Thematic, fresh, blog links.
• Are they detectible? Probably, and am guessing easily.
• Boo. So what else do we want? Loads of Thematic 301 redirects.
• Are they detectible? Probably, not too easy to spot all the time, but still.
• Crap, so what else can I use that isn’t detectible? Rel Canonical.  Simple command, looks fine to the user, but means a lot to search engines. Users hardly check their code once it’s live as long as page behaves normally.

Note: I have intentionally added a massive flaw to this methodology to trip up people who do ass hat SEO. Learn all search engine directives, what they were meant to do, and what they are capable off. I refuse to elaborate anymore, except that the method I am highlighting is very limited in its effect if you haven’t got a clue what I am talking about in this note.

WP Plugin Exploit – The Theory

If I can create a Wordpress Plugin that is really popular, and gets installed on thousands of sites, then by simply inserting a backend piece of code, I can control anything on their site.

How do I promote the Plugin?

Easy. Run PPC Ads. Get it ranking in SEO. Pay people to install it, pay bloggers to review it. Make it a really cool plug-in.

What if I can’t get it installed on loads of sites?

Run a search of the Wordpress Plugin Directory. Find old plugins no longer updated.  Select those that have high installs. Offer to buy from original Author. Boom.

The Tool:

Wordpress Security Flaw Plugin Dashboard

So above is my theoretical tool management centre.  What does it do?

• Lists all sites that have the plugin installed
• Lets me pick which site I want to build links for
• Finds all tag pages that aren’t blocked by meta robot or robots.txt per site
• Themes the site by looking at over all keyword density.
• Lets you pick all the tag pages you want by selection
• Highlights when the last post under that tag was
• Let you either pick a rel Canon or a 301 destination for that page.
• One button push

The result could be devastation on all the poor unsuspecting blog owners, or may not even register on their radar! All you are doing is manipulating their tag pages… If you rel Canon them, most blog owners won’t even know anything is wrong except they may lose traffic to their tag pages from the SERPs.

Why Target Tag Pages?

Unlike ordinary category and actual post pages, I have found that these are the least monitored WP pages. Also, for people who love tagging, you can end up with hundreds of variations, hence more pages per site. And apart from those people who have either decent SEO knowledge, or a decent SEO Plugin, tag pages are often left open to search engines.

However this exploit can be used for any part of the site, including actual post page as well as the site home!

Devious Security Flaw

Security Flaw - Everyone Has One.

Is this a flaw? Yes. Can it happen to you? Yes.

Wordpress or at least people passionate about it need to find a way to work on verification of plugins and maybe create a “Trust Worthy” verification for plugin release.  Till then, I will rely on my network of people such as Yoast, or freelancer WP Plug-in devs or my Birmingham based Development team who I have worked with for years to test and check anything I install on my sites.

Other Potential Uses Of This Loophole

• Injecting Malware.
• Cookie Stuffing.
• Webmaster Tools Takeover.
• Sale hijacks.
• Password and Login Hijacks.

Get your Plug-in Reviewed!

Wordpress Condom - Source: http://www.flickr.com/photos/nbachiyski/1463351154/

Don’t install any old crap you find on the internet.  Check it. If you suspect a dodgy plugin, contact Yoast who will run a Wordpress Plugin Review.

There are many exploits for sites, see this article for instance (by Kristine Schachinger).