msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Rich Snippets in Black Hat SEO

   20 Dec 12   Filed in Website exploits

Competition in search marketing can be tough. Regardless of number of businesses/products/services relevant to a specific keyword there is only one top position and unless it’s your site at the top you miss out on the hefty share of the search traffic generated by that keyword. The lower the result is displayed the less attention it gets.

Even if you are in “business” of black hat SEO and can use whatever dirty tricks you like, you still can’t guarantee the top position for the most popular keywords since there are already many established reputable sites and other black hats competing for the same keywords. But if you can’t always get the top position, you can still try to make your results look more attractive than the rest and increase their click through rate, right? Right! And this post will be about one of such tricks

Take a look at this screenshot. Which result does stand out of the rest?

I guess you all noticed result #5.

Of course, #1 will still get most of the clicks, but if searchers want to check some more results #5 will definitely catch their attention:

  • It’s the only result on the page with “yellow stars” so it naturally stands out of the rest “blue-green-black” results.
  • The stars are actually a representation of some “rating”. And the “rating” is quite high (83% – whatever it means) with thousands (4498!) of votes, which gives some “social proof” to this link.

If you make a quick screenshot analysis you will notice that results #1, #2, #3 and #6 are most likely legitimate web pages with some information about the topic (articles, discussions) while results #4 and #5 are spammy doorways that lead to online stores selling counterfeit drugs.

If there were no “rating” snippet then results #4 and #5 would most likely be ignored by people who only search for some information. However, with this yellow hot spot, some of them will probably click on the result #5, whether out of curiosity or just because they don’t have a knack of result snippet analysis and the result with “rating” seems more credible to them.

On the other hand, if there were no rating snippet and someone was really interested in buying some generic pills then they would probably first click on the result #4 and then (if not satisfied) on #5. But the rating snippet makes result #5 much more attractive: despite of being displayed lower, it is more prominent and has some “social proof”, which may influence your decision a lot when you are going to purchase and consume something from an “unofficial source”.

Rich snippets.

These prominent yellow stars are one example of rich snippets. This is something that Google may display in search results in addition to normal snippets (title, URL, description) when it finds some structured data that it understands and that can help searchers with their specific queries. You might have seen various rich snippets in Google search results: prices of items for e-commerce pages, recipe details for cooking pages, author’s pictures next to posts of known authors, etc.

The result #5 is displayed with a “review” rich snippet. The idea of such review snippets is they can help users better identify pages with good content. Unfortunately, they can be easily abused.

In this particular case, I want to describe a massive black hat SEO campain that involves hundreds of hacked legitimate websites where hackers used “cloaking” to make search engines see spammy content on thousands (if not millions) web pages instead of their legitimate content. On this blog, you can find articles about many other similar attacks, but this one has a new feature — it uses microformats to have Google display rating rich snippets for the spammy search results.

Rating

Attack details

The attackers hack websites (at this point I mainly see WordPress and Joomla sites) and install some PHP code that detects search engine crawlers and either replaces legitimate content inside of certain tags (headers, lists, links ets.) with spammy keywords or replace the whole web pages. In addition, every such a cloaked page contain some specifically formatted rating data (microformat) which Google considers as legit and converts it to rating snippets in search results.

Examples of the HTML code for reviews used by spammers:

<div class="hreview-aggregate">
<span class="item">
<span class="fn">Viagra from india is the <b style="color:black;background-color:#ffff66">best</b></span>
</span>
<span class="rating">81%</span>
<span class="votes">5102</span> votes.
</div>

or

<div xmlns:v="http://rdf.data-vocabulary.org/#" typeof="v:Review-aggregate">
<b><span property="v:itemreviewed">Levitra kullanimi</span></b>
<span rel="v:rating"><span typeof="v:Rating"><b>
<span property="v:average">9.1</span></b> from <b>
<span property="v:best">10</span></b></span></span><b>
<span property="v:votes">494</span></b> votes. Total <b>
<span property="v:count">494</span></b> votes.
</div>

3 sub-campaigns

At this point these spammers promote three types of sites:

  1. Pills. Hacked pages contain the following text: THE BEST ONLINE PHARMACY. Bonus pills for every order.
  2. Payday loans. Hacked pages contain the following text: THE BEST PAYDAY LOANS. No fax needed. 15 Minute Loans. APPLY NOW!
  3. Porn. Hacked pages contain the following text: THE BEST FREE PORN Ads free sevice!

The spammy pages usually have two main functions:

  1. They work as doorways to web sites they promote (human searcher oriented)
  2. They reference other doorways to increase their page rank (search engine oriented)

Doorway functionality

When Google users click on the doorway results, the malicious script on hacked sites detects it and, instead of the legitimate page (which is for direct visits only) and the cloaked page (which is for search engines only), it either shows the third variant (the spammy offer page) or simply redirects to third-party sites that pay for this targeted traffic.

Right now the doorway pages redirect to:

  • hxxp://rxstore24 .net/search/?currency=USD&q=…
  • hxxp://worldbestonlinepharmacy.com/?wm=17750&tr=8030
  • hxxp://googl-analistic .com/analis/in.cgi?15&seoref… (TDS)
  • hxxp://www.icashloans.com/?c=…
  • hxxp://allmoviesdownload .net/in.py?16&ip…

To webmasters

From webmasters’ perspective this hack is no different from the rest similar hacks except for one thing that makes detection easier.

In Google Webmaster Tools, there is a Structured Data Dashboard (Optimization->Structured Data) that should display information about all the structured data that Google has picked up on your site. If you don’t have any structured data (most sites still don’t) or you don’t use structured data for reviews/ratings you should notice that something is wrong if you see such data listed there.

That’s one of the reasons why you want to register all your sites with Google Webmaster Tools and regularly check all its reports — you can spot surprising things there if your site is hacked.

Some other Webmaster Tools reports that proved to be very useful for security problems detection:

  • Traffic -> Search queries. This report shows keyword that people use to find your site on Google. If your site is about gardening and you see many “viagra” searches then there is definitely something wrong. This report also shows pages that people visit after clicking on Google’s search results — you might not recognize some URLs if hackers created hidden sections on your site.
  • Health -> Fetch as Googlebot. If you see strange search queries but can’t find those keywords on your pages then use this tool to find out what Google sees when it loads your pages. In case of cloaking, your pages can be slightly modified or even completely unrecognizable.
  • Health -> Index Status. This report shows number of indexed pages on your site. If you see a spike and you know that you didn’t add that many pages lately, then they could be created by hackers.

In addition to Google Webmaster Tools, you should monitor your site for unauthorized changes. Think about integrity or version control and regular backups.

##
Do you have other examples of malicious use of Google’s rish snippets?

Related posts:

Reader's Comments (7)

  1. |

    [...] what’s hot in spamming circles today? According to this post on the Unmask Parasites blog, its Google’s “rich snippets” microdata and micro formatting technology, which [...]

  2. |

    Interesting post. Rich snippets are definitely becoming much more important as webmasters look for ways to improve their CTR in the serps and also trust and credibility with Google. One great method is adding authorship to your website. This really helps to make it stand out by adding your Google+ profile picture to your search listing.

  3. |

    [...] encontrar más ejemplos sobre estas técnicas en este artículo de Unmask Parasites, además de algunos consejos para webmasters que vale la pena tener en cuenta. Categoría: [...]

  4. |

    [...] I still think it's worth asking the question: how long will the benefits last? Consider this post from UnMaskParasites, which details how spammers used a combination of structured review data, website hacking, and [...]

  5. |

    I’ve noticed Google continues to play round with rich snippets in the search results. Often they are excluded. I assume this will be an ongoing thing like everything else Google related.

  6. |

    I did not know about the tecnic doorway funcionality, is it new? I am wondering if some day there will be a tecnic that the spiders can not detect but I do not thing so…
    The truth is that sooner or later the algoritms will find any trick.
    So we just have to use WHITE SEO to be sure and never loose clients.

  7. |

    So I Am dealing with this exact issue on a wordpress site – but I cannot find any malicious code in the entire install of wordpress, both in the core files and any plugins or themes.

    What should I be looking for? is there any way to make progress with this? Google webmaster tools fetch still shows that this is happening, so it’s in there somewhere, but where?