msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Tattoo Ideas For … Spammers

   21 Jul 11   Filed in General

Do you know how many people use Google Images to see a new tattoo of some celebrity or to search for tattoo ideas? What about using image search for hairstyle lookups? Or to find new wallpapers for your computer desktop? I’d say millions do it. That’s why these niches are particularly interesting for “black hats”.

Preamble

Back in May, I blogged about how criminals massively poisoned Google Image search results. They exploited a flaw in the image search ranking algorithm that allowed even small sites to hijack top positions simply hot-linking to popular images and using some keyword-reach texts (even completely unintelligible word sequences). In most cases, Google preferred such outright spammy pages to reputable websites that actually hosted the images (and usually were the copyright owners of them).

The whole situation was so bad that at the peak days (end of April – beginning of May) there had been millions of clicks on poisoned search results every day. Fortunately, Google has finally noticed the problem and started to blacklist hacked sites with doorway page and remove them from search results. In the Technology Review article, Google spokesman says “[Google] has since reduced the number of malicious links in image searches by 90 percent from peak levels“, which actually matches my personal observations and the statistics that I have.

The same spokesperson also emphasized that “[Google] continues to plug holes in its algorithms to head off new methods of attack.

While the amount of malicious (poisoned) image search results indeed has been significantly reduced, the original flaw in the ranking algorithm doesn’t seem to have been [properly] fixed. This post will be about a massive spam campaign that still flourish in Google Image search.

Spammy Blogger blogs

I noticed that group of Blogger blogs three months ago when I investigated the Image poisoning attack. The blogs were not malicious, just spammy, but they exploited the same flaw in Google Image search.

There are several thousand such blogs with more than a hundred (usually more than a thousand) posts in each. They managed to significantly pollute Image search results. The most spammed niches are hairstyles, wallpapers, and the ultimate “leader” is the the tattoo theme. Literally, every possible search query on tattoos in Google Image search returns quite a few results from those spammy blogspot.com blogs.

Tattoo ideas for arm

(Results in orange frames link to spammy blogs)

All those blogspot.com blogs follow the same pattern: hundreds of machine-generated spammy posts with hot-linked images. Each blog post targets some particular keywords, e.g “maori tattoo art“, “quote tattoo“, etc. and consists of several (usually 20) hot-linked images (top results for corresponding image searches) and short descriptions (apparently also extracted from search results) that make very little sence, for example “famous tattoo quotes somebody’s neck tattoo, to see quotes and phrases“.

Immigrationvoice & Macrumors

At some point, to “spice up” their blog post with more text, the spammers began to inserts completely unrelated excerpts from the immigrationvoice.org forum and from forums.macrumors.com. For example, try to Google for ["we have to make USCIS more transparent and effective"] or ["My question is when we try shaking two iPhones catching"] and check all the blogspot.com and zimbio.com results (see more about zimbio bellow).

Aggressive and shady ads

When you visit those blogs (with enabled scripts. not recommended though), it’s quite clear what was the whole idea behind this campaign. Search traffic is supposed to be monetized using aggressive advertisement placement. All blogs contain various banners and pop-ups that occupy the whole screen, moving the actual content of the blogs below the fold.

The most commonly used ad providers and “traffic boosters” :

  • 777seo .com
  • Paid-to-promote .net
  • home-sd .com
  • besthitsnow .com
  • adultfriendfinder .com
  • 2leep .com
  • ptp4ever .net
  • adv .blogupp .com
  • ymads .com
  • cdl .deplayer .net
  • www .trafficrevenue .net
  • ads .clicksor .com
  • blueadvertise .com
  • blueptp .com
  • picadmedia .com
  • adsensecamp .com
  • advpoints .com
  • ad .ad-u .com

Many of them have quite a questionable reputation (including malware distribution).

AdSense ads

Some of the blogs (about 1%) contain Google AdSense HTML blocks. However, their AdSense accounts seem to have been blocked already — they won’t show (Google generates empty iframes for them), which probably made them switch to shady ad providers at some point.

Multiple accounts

While all those blogs have individual templates, individual Blogger accounts, and individual accounts on ad networks, it is absolutely clear that they belong to the same people.

Why bother with so many accounts? Obviously to make it difficult to discover and shut down the whole network of splogs. If Blogger blocks one account, if won’t affect thousands of other blogs. If some ad provider suspends one suspicious account — not a big deal — it only contains few bucks and there are still many other accounts.

(Actually, Blogger is in the process of removing those spammy blogs. Out of more than 5,000 unique blogs from my list, more than 2,000 have already been removed by Blogger. Google still returns links to those removed blogs in search results though…)

But doesn’t it mean too much manual work to register thousands account when most services have CAPTCHAs and verification processes in place? As Brian Krebs writes on his recent blog post, there are many services where you can buy thousands of verified accounts or outsource account registration to low-wage workers in poor countries.

Zimbio.com & onsugar.com

Big sites like Zimbio.com and onSugar.com seem to have decided to piggyback on the same Google Images flaw and the existing network of spammy blogspot.com blogs.

They do it under the disguise of “user generated content”. For example, Zimbio allows users to import existing blogs into Zimbio articles (in exchange for the link to the original blog). So what we have now is thousands of fake Zimbio users with corresponding spammy blogspot.com blogs. Each blog post is republished by Zimbio, but now with their own ads. And because of the Zimbio.com domain reputation, they easily hijack search results that had been previously hijacked by the spammy blogs.

Here you can see, what I’m talking about:

Can it be that Zimbio is just abused by spammers? Maybe. The only reason for spammers to submit their blogs to Zimbio is to get a free backlink. But there are many other places where they could get backlinks without risk that Zimbio will simply hijack “their” search results and search traffic (which happens now). Moreover, they would have to manually register thousands of accounts on Zimbio or buy them (not so free backlinks after all).

My speculation about possible scenarios (from Zimbio perspective):

  • Spammers submitted their blogs in exchange for the backlinks? – Good, with their domain power and clever interlinking they will easily outrank them. Moreover, Blogger can remove those blogspot.com blogs, but the same posts on Zimbio.com will remain intact, thus can do better in the long run.
  • Zimbio found the network of splogs that rank well on Google Image search. Why not add them to Zimbio and pretend that users added them there themselves (the profiles are quire anonymous)?
  • The evilest scenatio: Zimbio created the spammy blogspot.com blogs themselves and then submitted them to Zimbio. This way they can monetize both spammy blogs and the zimbio traffic and it still looks like they are not connected.
  • Any other scenario, anyone?;-)

In every scenario Zimbio wins (unless Google eventually penalizes them for large percentage of spammy and duplicate content). It’s their strategy to publish (and republish) huge amount of user generated content that would rank well for various long tail searches.

The onsugar.com site uses similar approach (e.g http://uglytattoo.onsugar .com/small-tattoo-ideas-14264936)

Conclusion

While Google has managed to reduce the number of malicious links in Image search results, the original flaw is still widely abused by black hats. This problem shouldn’t be taken lightly just because the blogs described in this article are not malicious (yet). Here are just a few reasons why Google should address this issue:

  • These blogs prove feasibility of the approach. So the same scheme can be reproduced by people with more malicious intents.
  • Spammy blogs can easily turn into malicious one day. Given the choice of the ad providers, they can easily accept offers of, say, Fake AV guys (as you, know they have actively use affiliate schemes).
  • These blogs hijack search results and steal traffic from creators of the original content.
  • And after all, it’s a shame that Google has such a low quality of their images search results.

##

Question to readers: How often do you come across hijacked Google image search results (either malicious or simply spammy)?

Related posts:

Reader's Comments (%)

  1. |

    This probably explains why garden bloggers suddenly got a lot of hits from a tattoo site. It was when they had the international tattoo conference in Cape Town.