What We Learnt From a Pills Link Hacker

by rishil on April 18, 2011

This post is a first for me. First time there is a guest post (well semi-guest) on this site. It also is my first collaboration with one of my favourite Research SEOs Neyne.  Neyne (Real name Branko Rihtman) doesn’t blog very often, but when he does it is always worth a read. This is a two part post, the first by Neyne, with the second part by yours truly.

My last post was about using Wordpress Plugin Flaws to link build, “aka soft hacking”. However what we are about to demonstrate is another opensource CMS, Joomla, has just as big a flaw as WP. We didnt investigate the backdoor, or how it was done, however we do demonstrate the extent to which it works.

Worse Than Blackhat, Meet the Hacker SEO

Just like with “SEO is Dead” debate that raises its lame head in seemingly regular intervals over the past few years, so does its not-so-distant cousin, the “Whitehat vs. Blackhat” debate. There has been one raging on the popular blogs in the last week or so and, just like with its useless relative, this round did not bring any new arguments nor has it convinced anyone on the either side of the argument. However, not often does one get to encounter a true black hat campaign, one that leaves you with no doubt as to whether it is useful or not nor whether it is illegal or not. Thanks to a tip from one of my SEO buddies, I have taken the glimpse into the eyes of the beast, and it ain’t pretty.

Just before we dive in, I want to make something clear. I don’t usually out websites or SEO techniques. I think that outing is a cowardly practice, done by people that are not capable of outperforming others. Or in the immortal words on one of Aaron’s tshirts: “I have a very high tolerance for spammers, but a very low one for weasels”. That said, the techniques outlined in this article are most probably illegal (not a lawyer, so don’t want to be definite on that one). They include hacking into other people’s sites, flagging them as pill-related, squandering their link equity and eventually getting them flagged as compromised in Google SERPs, thus seriously decreasing their CTRs. Asshatery like that should be eliminated and I feel no remorse for doing so.

It all started with an enquiry of the mentioned friend about one of his client’s sites. The site seemed to be OK, nothing irregular about it; however, when looking at the Google cached version of the site, a footer appeared:

Pills Footer

Pills Footer

This footer does not appear when the site is visited with Googlebot useragent, so my guess is that this is a case of IP cloaking. The more interesting thing is that none of the sites linked in the footer seem to be V1@6r@ related.  They are regular sites on a wide range of topics. So my first thought was that this is a hatchet job – a slimy SEO company that is trying to ban their competitors by creating thousands of artificial, spammy links on hacked sites. However, when looking at the source code of Google cache of each of the linked sites, a different picture started to emerge. Check out the differences between the <header> element as it appears on the live site vs. how it appears in Google Cache:

Google Cache Header of Haked Site

Google Cache Header of Haked Site

So my next question was whether these site rank for any of the linked phrases. Almost all of them did. Check out this SERP for [V1@6r@ price] (6600 Global Exact Match monthly searches)

Ranking for V Price

Ranking for V Price

So here came a head scratching part. It seems like someone is hacking into Joomla based sites, planting links in their footer to other hacked Joomla sites, whose header is cloaked to show V1@6r@-related keywords. But what is the point? Why would someone send V1@6r@-relevant traffic to totally unrelated websites? Then I clicked through to the site from the above SERP. This is the site I got:

Now you See It

Now you See It

If you go to the site directly, by typing the URL into the address bar, this is what you get:

Now You dont

Now You dont

So not only are they doing IP cloaking, they are also doing referral cloaking to show all visitors referred from Google SERPs .  Here is a partial list of sites, with their original Titles, hacked Titles, keyword they targeted with footer links anchors and their ranking on Google.com for that keyword:

Partial List of Hacked Sites

Partial List of Hacked Sites

There is one thing that is common to all the websites in question – they have been all created in Joomla. Furthermore, it is easy to target them as there is a clear indication they are Joomla based in their header:

<meta content="Joomla! 1.5 - Open Source Content Management" />

**************Investigation Ends******************

Search Volumes for v1@6r@

Search Volumes for v1@6r@

So Neyne has shown you the what, how and why. Hacking these many sites for those rankings isn’t an easy job, unless you prebuild in hacker doorways as I demonstrated in the WP Plugin Security fail. The only other way to do this is to run a number of brute force scripts on known weak spots of various servers and CMS’s. I want to show you what I learnt from investigating those links with Neyne. Like I said with the JC Penney scenario, when you get a chance to learn, do it.

10 things I Learn From V1@6r@ Link Hackers

1.       Old Spam Tactics still work!

A while ago, I wrote about Spam Tactics, Then and Now, where I identified a number of tactics that still work. This discovery reinforces what I learnt back then, that old spam tactics dont die, they just resurface. And that Google isnt really as sophisticated an algo that people believe it to be.  Some of the points below take this into more detail…

2.       Content is NOT King

None of these sites that we investigated were serving up content that was V1@6r@ related. Of course quite a few had cloaking which meant that some conteant was being shown, but after investigating a number of these sites, not all had redirection or cloaking set up as yet.  And as a result just had links that were doctored.  So why did they rank for these keywords?

Just links. Links, links and more links. What about great content? Nope. Links.

Using Majestic, lets look at what the links could be like:

Look at all those links! (click to view Majestic data)

Look at all those links! (click to view Majestic data)

3.       Anchor Text Over Rules All

Wordle for Links

Wordle for Links

Relevancy, thematic links, semantic analysis etc etc can all go to pot if you are working with a large scale access to link text manipulation system. Doesn’t matter where they are placed, and doesn’t matter where they came from.

An advanced analysis of the anchors for some of the sites we looked at gave you the wordle above  – you can see how heavy the manipulation is. In raw terms:

Anchor links Count

Anchor links Count

4.       Footer Links Work

For a while SEOs have been devaluing the relevance of links in footer or common elements – ummm they seem to work.

5.       Sitewide Links Work

Again, we get arguments that the value of sitewide links have been dampened greatly. Not when you are working in volume, as we discovered when we investigated these sites.

6.       Referrer Cloaking still Works.

I think Neyne demonstrated this pretty well above.

The fact that referrer cloaking works is evident from the fact that the hacked sites are ranking even though they serve different content to users coming from Google SERPs

Another spam tactic from the past, still live and well.

Scripting, its an Art

Scripting, its an Art - this one isnt. (this is a tracking script on one of the sites)

7.       I Need To Set Up Alerts

What really shocked me is that these site owners still haven’t realized that they rank for these keywords. If you suddenly rank for or get traffic from didgy keyphrases, its time to check WTF is going on. Now in the case of user agent redirection, sometimes analytics will not record those visits. But will most certainly show up for high volume impressions if you are signed in with Google Webmaster Tools.  AND they have a malware detection piece on there which is worth looking at once in a while.

8.       I Need To Monitor Catch All Accounts

Google does try and email those sites that they have flagged up :

Site Compromised

Site Compromised

Site Compromised on All Accounts

Site Compromised on All Accounts

But you need to monitor and even set up catch all email accounts: You can find out if your site has been identified as a site that may host or distribute malicious software (one type of “badware”) by checking the Dashboard in Webmaster Tools. (Note: you need to verify site ownership to see this information.) We also send notices to webmasters of affected sites at the following email addresses for the site:

  • abuse@
  • admin@
  • administrator@
  • contact@
  • info@
  • postmaster@
  • support@
  • webmaster@

9.       Edu Sites Need some Serious help!

As part of the investigation, I had to scan a large number of SERPs for v1@6r@ related keywords. The most common resulting domain extension? That would be the “.edu”.  Google and/or someone else needs to teach these guys how to secure their sites… It’s not hard to spot the volume of hacking – see this simple query.

Or look at this gem:

edu Ranks for Buy that stuff Cheap

edu Ranks for Buy that stuff Cheap

US Gov Search - Uncle Sam10.   .Gov sites are FUBAR

Another common domain  extension that shows up in the SERPs is the .gov extension.   By the way, did you know google has an old search page that only looks at Government sites? Look what I found through it: http://bit.ly/dOlzKR

Share and Enjoy:
  • Twitter
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • FriendFeed
  • Sphinn
  • LinkedIn
  • PDF
  • StumbleUpon
  • Suggest to Techmeme via Twitter
  • Yahoo! Buzz

Rishi Lakhani is an independent Online Marketing Consultant specialising in SEO, PPC, Affiliate Marketing and Social Media. Explicitly.Me is his Blog. Google Profile

{ 4 trackbacks }

Weekly Search & Social News: 04/26/2011 | Search Engine Journal
April 26, 2011 at 4:00 pm
A Picture is Worth a Thousand Words
July 15, 2011 at 3:23 pm
Nine Ways to be a Competitive SEO
September 21, 2011 at 12:55 pm
Be Careful Where You Put Your +1s, They Might be Domain Based - State of Search
April 26, 2012 at 9:36 am

{ 23 comments… read them below or add one }

Jey Pandian April 18, 2011 at 9:16 am

Thanks for sharing Rishil and Neyne.

Reply

Toby Mason April 18, 2011 at 9:23 am

Thanks Guys, some really interesting findings here. No one should underestimate the trouble these “hackers” would go to. Also the domain of the hacked site is rather apt!

Reply

David Iwanow April 18, 2011 at 9:48 am

Hmmm… that’s fairly damn cool, another point I saw was the delay between when you are first hacked and when you start to see the results… so the forward thinking on their part is actually fairly well structured and patient by any means…

The only other strange point I noticed about it all was that it wasn’t always the standard “cheap viagra” but more long tail and even mixing up the product set with some fairly unique and very specific long tail exact match URL pages, some of the terms driving traffic that I flagged when viewing keyword level data in analytics and across GWT. Problem was how long it had been sitting on the site before it starting attracting traffic and it was not flagged by GWT at any point.

ambien coupon
buy amphetamines online
ordering amphetamines
nursing diagnoses for alcohol
xolnox
where do i buy alcohol online
free sample paper towels
amitriptyline and xanax
can you mix soma with ambien?

Disclosure I had one of my clients Joomla sites hacked which is why I only really use WP now and don’t use crazy random plugins or themes where possible. The hacked site sat outside of the CMS in it’s own subdirectory which made a visual inspection useless but increased the importance of verification with GWT.

Reply

kev grant April 18, 2011 at 10:05 am

Nice work lads, great forensics, and always glad to see some balance in the “WP is so unsafe” debate, in fact every time I’ve seen and had WP installations hacked it’s always been in conjunction with everything else on the servers at the same time.

looks like these Joomla sites are pretty wide open too if they know what they’re doing?

were all the hacked recipients of the links Joomla too, or didn’t it matter?

Reply

Brent Terrazas April 18, 2011 at 10:12 am

Thanks, was waiting to update a clients site with an ecommerce solution we coded for ‘em until you posted this (after our talk on friday). Pretty much just locked everything down and stripped out anything un-ncessary to the site.. hopefully that’ll be enough but i doubt it. If a good hacker wants to hack your site… he’ll find a way.

thx for the info

Reply

Gordon Campbell April 18, 2011 at 12:14 pm

An absolutely amazing post. I love how you have proven that content is not always king, something I’ve been saying for a while(except for news sites and the likes) – it’s just one of these phrases that roll of the tongue easily that people remember and say a lot.

Footer links still work too – I was sitting on the fence with how effective these are, but obviously they still work.

And it’s great that you have probably made more people aware of the potential vulnerabilities in websites if you don’t keep your security up to date.

Amazing!

Reply

Zach April 18, 2011 at 5:52 pm

This is crazy, I love it! I see a .edu protection service on the horizon.

Reply

roey April 18, 2011 at 8:44 pm

in two weeks i just found out two clients of mine that have these spammy links
thanks for this great article. very profound.

Reply

Alan Bleiweiss April 18, 2011 at 8:47 pm

Good footwork and interesting conclusions. I’ve personally tested footer brute force and found it does work quite well under certain circumstances. Where I’ve found it doesn’t do as well as it used to depends on the type of sites and the market. When it’s a site that’s in an extremely competitive commercial market where that market isn’t in the v1@6r@ type classification, my own tests show that footer links aren’t as effective as they used to be. Just my own experience though.

And to continue fueling the fire, claiming that people who call out asshattery do so out of cowardice because they themselves cant compete with skill is one of the most baseless bogus rationalizations I’ve ever read. #JustSayin My clients are quite happy with the results I get them. Plenty of top organic rankings across many industries.

Reply

Ryan Clark April 18, 2011 at 9:19 pm

Wicked detective work and the office thoroughly enjoyed reading through it! As an SEO, I’d say the footer and blogroll links eventually get devalued, but Google is WAY too slow. They’ll just take on a new profile or domain and repeat the process all the live long day.

Matt Cutts and another spam team engineer has stated that the next big algo change will be focused on links, so that should be interesting!

Reply

Lucas April 19, 2011 at 1:52 am

I am not sure exactly what it says about me, but I would really like to have a slice of that spam pizza that you have pictured.

Very interesting article by the way.

Reply

Kaushal Shah April 19, 2011 at 4:25 am

Wow, wonderful hack. Really interesting! So will this start making newbie SEOs think that ranking for regular niche with this techniques is easy??

Reply

Kerry Dye April 20, 2011 at 8:52 am

What a great analysis. I did one about 3 or 4 years ago that showed up the same type of link network, where the hacked sites all interlink, but hadn’t come across one recently. Those were javascript insertion in php sites with vulnerabilities, so CMSs aren’t always to blame.

Reply

Noah April 20, 2011 at 7:28 pm

This Just happened today to Highpoint University In NC. Their Religion sub domain was referring to pill sites.

Reply

Gaurav April 21, 2011 at 12:31 pm

Excellent post Rishi

Please add the following in the beginning of this post !

This is not an endorsement of these techniques.
THIS CASE STUDY IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT.
And a
WARNING : Please do not operate heavy machinery after reading this.

Keep up the good work. Cheers

Reply

Roie April 23, 2011 at 8:30 pm

Excellent investigative work, to demonstrate what we all by now – Google sucks and it;s far too easy to manipulate (at least for the short run)

Reply

Mike @SEO Toronto May 3, 2011 at 4:51 pm

Wow I feel really bad for the owners that got hacked.

But I can’t help but be excited about the insights that can be gleaned regarding the Google algorithm!
XD

Reply

Metacowboy June 19, 2011 at 10:57 pm

That was a hard lecture , but very well explained so finally i got it fixed. Probably its wise to take a look to the htaccess for some mystic changes and the search for “eval(base64_decode” helped to find the hidden infected files that inject the links.

Reply

JamestheJust August 25, 2011 at 1:09 pm

I came here after reading Glen at Viperchill – he wasn’t kidding. Your blog’s awesome – this was an education way beyond my ability. But very informative. Now I’m waiting for the ‘how to avoid this’ post for newbies. :D

Reply

Katie Saxon August 26, 2011 at 12:32 pm

Well I’m off to set up Google alerts for all my clients now. Dodgy stuff.

Reply

Jan-Willem Bobbink September 16, 2011 at 1:18 pm

@katie it isn’t Dodgy stuff, just secure your Joomla, Wordpress etc installations

Reply

Slow February 23, 2012 at 12:58 pm

Anchor links shows for what these sites were previously used for. They are not hacked first time (lingerie and sex are probably remains of previously used spam) or they were dropped and bought for v1@6r@.

Reply

Alan Charnock March 9, 2012 at 12:41 pm

This happened to a wordpress site I own, but the hackers cleverly put a used a template site that I could only see once and every other time I went back on it, it showed my normal site. Drove me mad I after weeks of trying to fix it I deleted all the files and started again.

Reply

Leave a Comment

Previous post: Wordpress Plugins Security Flaw – A Blackhats Dream

Next post: Effects of Panda on Thin Affiliate Sites