Rich Snippets in Black Hat SEO
Competition in search marketing can be tough. Regardless of number of businesses/products/services relevant to a specific keyword there is only one top position and unless it’s your site at the top you miss out on the hefty share of the search traffic generated by that keyword. The lower the result is displayed the less attention it gets.
Even if you are in “business” of black hat SEO and can use whatever dirty tricks you like, you still can’t guarantee the top position for the most popular keywords since there are already many established reputable sites and other black hats competing for the same keywords. But if you can’t always get the top position, you can still try to make your results look more attractive than the rest and increase their click through rate, right? Right! And this post will be about one of such tricks
Continue »»
Selected Tweets (Oct-Nov 2011)
Selected short messages and links you might have missed if you don’t follow me on Twitter.
It has been a while since the last Tweet Week. The main reason is I don’t tweet that often now to post my tweets every week and I don’t want to post old news here either.
So what happened? The answer is I can’t get used to Twitter web interface – it is so inconvenient. I had to use it when I had some strange problems with my Twitter client (twhirl). Thank’s god, I’ve finally made my twhirl work so I hope I will be able to tweet more often.
Anyway, here are some of the latest tweets.
Continue »»
Tweet Week: August 22-28, 2011
Selected short messages and links you might have missed if you don’t follow me on Twitter.
TimThumb attacks, We Stop Badware Host program, blog scrapers, Apache DOS and workaround »»
Two Tweet Weeks: August 8-21, 2011
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Following the Black Hat SEO Traces
This is a follow up to my last week’s post about hacked WordPress blogs and poisoned Google Images search results. Cyber-criminals infiltrated 4,000+ self-hosted WP blogs and created doorway pages that would redirect visitors coming from Google Images search to scareware sites. A few days ago I posted a short update to let you know that Google has removed the doorway pages from its index. I also promised to share some new interesting details about that black hat SEO campaign. So here we go!
Continue »»
Google Image Poisoning. What’s New in June?
This is the second (more techie) part in the series of posts about a new wave of the Google Image poisoning attack. This part will heavily refer to the detailed description of the attack that I made back in May. Most of the aspects are still true so I will only talk about changes here. If you want to have a complete picture, I suggest that you read the original description first.
Changed doorway behavior
After May 18th, I noticed that doorway pages no longer redirected me anywhere when I clicked on poisoned search results. Neither to bad sites nor to home pages of compromised sites. Instead they displayed the spammy content generated for search engine crawlers only.
That was strange. That could never happen if the old algorithm was still in use.
Then I checked the cache directories (./.log/compromiseddomain.com/) and found new maintenance files there: don.txt and xml.txt. The don.txt file contained HTML template of spammy pages and was a replacement for the shab100500.txt file used by the original algorithm. The xml.txt contained the following string: bG92ZS1ibG9nY29tLm5ldA==, which decoded (base64) to “love-blogcom.net“. It was clear it was a more secure replacement for xmlrpc.txt that stored the domain name of a remote malicious server in plain text.
A few days later, the xml.txt files was replaced by xml.cgi, which was a clever step since .cgi files produce server errors when you try to open them in directories that aren’t configured to execute CGI scripts.
So I knew that the doorway script was updated, but I couldn’t understand why the doorways exhibited no malicious behavior when I clicked on hijacked image search results. That didn’t make much sense. What was the purpose of showing those spammy unintelligible pages without trying to monetize the traffic? The only plausible idea was they were playing the “long game” and needed some time to have the new pages rank well without risks of being identified as cloaked or malicious content, and when many pages reach prominent positions in search results they’ll start redirect web searchers to bad sites. Well, that was a working hypothesis until I got the source code of the new doorway script. The reality is crooks don’t want to play “long games” if they can monetize right away – the new doorway pages did redirect to bad site but my virtual environment wasn’t properly configured to trigger the redirects.
Continue – Dissecting the updated Google Image poisoning attack »»
Tweet Week: May 9-15, 2011
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Imgaaa .net And Other Blacklisted Domains Used in Google Image Search Poisoning
This is a short follow up on my post about hacked sites that poisoned Google Image search results.
As I mentioned in that post, most compromised sites where hackers created malicious doorway pages, contained one of the following images or iframes in their legitimate index pages.
Continue »»
Thousands of Hacked Sites Seriously Poison Google Image Search Results
This investigation began a few weeks ago, when I came across the following two threads in website security forums:
[badwarebusters.org] Lately I have been seeing a huge increase in the number of hacked sites appearing on google image search results that redirect to a fake Av scanner. more »»
[Google Webmaster Help] google image search results often has multiple infected / malware sites on the first SERP page. more »»
This is a well known problem. I blogged about such SEO poisoning attacks several times here. This time I decided to check what’s behind the reported increase in malicious image search results.
Continue »»
Tweet Week: April 11-17, 2011
Selected short messages and links you might have missed if you don’t follow me on Twitter.
DMCA, Flash zero day, Avast glitch, imgaaa attack, Qubes OS …
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
