msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Analyzing [Buy Cialis] Search Results

   21 Aug 13   Filed in General

A few days ago I was updating the spammy word highlighting functionality in Unmask Parasites results and needed to test the changes on real websites. To find hacked websites with spammy content I would normally google for [viagra] or [cialis], which are arguably the most targeted keywords used in black hat SEO hacks. However after the Google’s June update in how they rank web pages for spammy queries, I didn’t have much expectation of seeing hacked sites on the first page of search results for my usual [buy cialis] query and was ready to check a few more pages.

Indeed, for queries like [payday loans] I can see quite relevant results on the first three pages. All sites are specialized and don’t look like doorways on hacked sites. That’s really good. For [viagra] I found only one result on the first page pointing to a doorway on a hacked site. Still good.

However, when I entered a really spammy combination [buy viagra], the search results were less than optimal — 5 out of 10 led to hacked sites. And at least 2 out of the rest 5 specialized sites were promoted using hidden links on hacked sites. Not good. And the worst results (although ideal for testing my update) were for the [buy cialis] query — 100% of results on the first page (10 out of 10) led to doorways on hacked sites or simply spammy web pages. Not a single result from websites that really have anything to do with cialis.

buy cialis results

Results analysis

Here is the breakdown of the first 10 results (links go to real time Unmask Parasites reports for these pages and at the moment of writing they all reveal spammy content. However this may change over time):

  1. www.epmonthly .com/advertise/ — doorway on a hacked site
  2. werenotsorry .com/ — strange spammy site with a rubbish content like this “The car buy cialis in your car is the ultimate well source of electrical amazing power in your car.
  3. incose .org/dom/ — doorway on a hacked site.
  4. www.deercrash .org/buy/cialis/online/ — doorway on a hacked site
  5. jon-odell .com/?p=54 — doorway on a hacked site
  6. www.goodgrief .org .au/Cialis/ — doorway on a hacked site
  7. www.asm .wisc .edu/buy-cialis — doorway on a hacked site
  8. www.mhfa .com .au/cms/finance-home/ — doorway on a hacked site
  9. www .plowtoplate .org/library/51.html — doorway on a hacked site
  10. john-leung .com/?p=16 — doorway on a hacked site

Over the course of the past week the results slightly fluctuated and sometimes I saw the following links on the first SERP.

Out of 18 links that I encountered on the first page for [buy cialis] 15 point to doorways on hacked sites, 1 to a site with unreadable machine-generated text (still not sure whether it’s some SEO experiment or a backdoor with a tricky search traffic processing procedure) and 2 specialized sites relevant to the query but with quite bad backlink profiles. Overall 0% of results that follow Google’s quality guidelines.

So the Google’s update for spammy queries doesn’t seem to work as it should at least for some über spammy queries. It’s sad. And the reason why I’m sad is not that I worry about people who use such queries on Google to buy some counterfeit drugs. My major concern is this situation justifies the huge number of sites (many thousands) that cyber-criminals hack in order to put a few of their doorways to the top for relevant queries on Google.

Behind the scenes

The above 15 hacked sites that I found on the first Google’s SERP are actually only a tip of the iceberg. Each of them is being linked to from many thousands (if not millions) pages from similarly hacked sites. Here you can see a sample list of sites that link to the above 15 (you might need a specialized tool like Unmask Parasites to see hidden and cloaked links there).

Many of the hacked web pages link to more than one doorway page, which maximizes changes that one of them will be finally chosen by Google to be displayed on the first page for one of the many targeted keywords. And at the same time this helps to have a pool of alternative doorways in case some of them will be removed by webmasters or penalized by Google. As a result, the networks of doorways, landing pages and link pages can be very massive. Here you can see a list with just a small part of spammy links (338 unique domains) that can be found on hacked web pages.

.gov, .edu and .org

Among those hacked sites you can find sites of many reputable organizations, which most likely greatly help to rank well on Google. There are many compromised sites of professional associations, universities and even governmental sites, for example (as of August 19th, 2013):

Volume of spammy backlinks

If you take some of the top results and check their backlink profiles (I used Majestic SEO Site Explorer), you’ll see how many domains can be compromised (or spammed) just in one black hat SEO campaign. And we know that there are many ongoing competing campaigns just for “cialis” search traffic, so you can imaging the overall impact.

backlink profile

On the above screenshot you can see that thousands of domains linking to “www .epmonthly .com/advertise/” using various “cialis” keywords.

The situation with “www. epmonthly .com/advertise/” is quite interesting. If you google for ["www.epmonthly .com/advertise/"] you’ll see more than a million results pointing to web pages where spammers used automated tools to post spammy links (including this one) in comments, profiles , etc. but failed to verify whether those sites accept the HTML code they were posting (still many sites, while escaping the HTML code, automatically make all URLs clickable, so those spammers finally achive their goal) .

Typical black hat SEO tricks

In addition to annoying but pretty harmless comment spamming, forum spamming and creating fake user profiles, black hats massively hack websites with established reputation and turn them into their SEO assets.

The most common use for a hacked site is injecting links pointing to promoted resources (it can be a final landing page, or a doorway, or an intermediary site with links). Here is what such web pages may look like in Unmask Parasites reports:

spammy keyword highlighting

To hide such links from site owners, hackers make them hidden. For example, they can place them in an off-screen <div>

<div style="position:absolute; left:-8745px;">...spammy links here...</div>

Or put them in a normal <div> and add a JavaScript to make this <div> invisible when a browser loads the page

<div id='hideMe'> ... spammy links here.... </div>
<script type='text/javascript'>if(document.getElementById('hideMe') != null){document.getElementById('hideMe').style.visibility = 'hidden';document.getElementById('hideMe').style.display = 'none';}</script>

The JavaScript can be encrypted.

e v a l(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('2.1(\'0\').5.4="3";',6,6,'bestlinks|getElementById|document|none|display|style'.split('|'),0,{}))

which translates to

document.getElementById('bestlinks').style.display="none";

where “bestlinks” is the id of the <div> with spammy links.

Sometimes, encrypted JavaScript can be coupled with dynamic HTML generation of the link container. After decryption it looks like this:

document.w ri t e('<style><!-- .read {display:none} --></style><address class="read">');
...spammy links here...
document.wri te('</address>');

Of course, it’s only a client-side representation of the problem. On the server side, it’s rarely this straightforward. Most times it involves obfuscated (usually PHP) code in sneaky places (e.g. themes, plugins, DB, etc.)

Doorways

Sites that rely on black hat SEO techniques get penalized by Google soon enough so the can’t expect much search traffic directly from search engines. Instead they try to promote many disposable doorways on other reputable sites that would redirect search traffic to them.

The typical approach is to hack a website and use cloaking tricks (generating a specialized version with spammy keywords specifically for search engines while leaving the original content for normal visitors) to make search engines think that its pages are relevant for those spammy queries. E.g. check the title of the “www.epmonthly .com/advertise/” when you visit it in a browser (“Advertise“) and when you check it in Unmask Parasites or in Google’s Cache (“Buy Cialis (Tadalafil) Online – OVERNIGHT Shipping“). Then they add some functionality to distinguish visitors coming from search engines and redirect them to third party sites that pay hackers for such traffic.

The redirects may be implemented as .htaccess rules, client-side JavaScript code, or server-side PHP code.

Sometimes, instead of using cloaking, hackers simply create a whole spammy section in a subdirectory of a legitimate site, or a standalone doorway page. Example from our cialis search results: www .asm .wisc .edu/buy-cialis .

To Webmasters

It might be tricky to determine whether your site fell victim to a black hat SEO hack since hackers do their best to hide evidence from site owners and regular visitors. At the same time antivirus tools won’t help you here since links and redirects (in case they can actually see them) are not considered harmful. Nonetheless, a thoughtful webmaster is always equipped with proper tools and tricks (click here for details) to determine such issues. They range from specialized Google search queries and and reports in Webmaster Tools to log analysis and server-side integrity control.

In addition to the tricks that I described here, you can try to simply load your site with JavaScript turned off. Sometimes this is all it takes to find hidden links whose visibility is controlled by a script.

Fighting black hat SEO hacks

Of course, site owners are responsible for what happens with their sites, should protect them and clean them up in case of hacks. Doorways on hacked sites would never appear in search results if all webmasters would quickly mitigate such issues.

But let’s take a look at this from a different perspective. The main goal of all black hat SEO hacks is to put their doorways to the top on Google for relevant keywords and get a targeted search traffic. And 80% (or even more) massive campaigns target a very narrow set of keywords and their modification. If Google actively monitor the first pages of search results for such keywords and penalize doorways, this could significantly reduce efficacy of such campaigns leaving very few incentive to hack website to put spammy links there. And you don’t have to monitor every possible keyword combination. In my experience, most of them will finally point to the same doorways.

I can see Google moving in this direction. The description of the above mentioned ranking algorithm update is very promising. However, as the [buy cialis] query with 0% of relevant search results on the first page shows — a lot should be improved.

P.S Just before posting this article, I checked results for [buy cialis] once more and … surprise!.. found a link to a Wikipedia article about Tadalafil at the 4th position. Wow! Now we have 1 result that doesn’t seem to have anything to do with hacked sites.

Related posts

Reader's Comments (2)

  1. |

    Hi Dennis,

    Great analysis, very intersting.

    I actually contacted the support team at Volunteer.gov a couple of weeks ago, and they were able to remove the hacked pages they were hosted, as well as the other .govs. Great result, was happy at that :)

    They were hosting a pharma online store, which on investigation was apparently set up to facilitate credit card fraud.

    Cheers

    Reply to this comment

Leave a Comment


XHTML: You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>