The Story of Clip:rect – A Black Hat SEO Trick

We regularly write about Black Hat SEO hacks here. Such hacks help hackers monetize their access to compromised sites by incorporating them into massive schemes that try to manipulate search engine results for queries that potential clients may be interested in. Think of gray areas like: payday loans, pharmaceuticals, counterfeit drugs and luxury goods.

As you know, search ranking is all about the number and quality of inbound links to your site. To promote a web page, spammers need to place a link to them on as many sites as possible. This is why injecting spammy links into hacked sites is an important step for most Black Hat SEO schemes.

You can’t simply add links to someone else’s pages and expect that the site owner will tolerate it, so hackers make such links invisible to normal site visitors and visible to search engine bots.

There are many tricks they can be used to hide links. It can be a sophisticated server-side cloaking (detecting search bots by IP/UA and injecting the SPAM on the fly), or a simple HTML trick like setting styles to display:none. In this post, we’ll talk about something in the middle, a trick that involves deceptive JavaScript and creative use of CSS.

The use of JavaScript is based on the premise that search engine bots don’t execute them (which is only partially true), and most humans use web browsers with JavaScript enabled. You can inject a block of links into a web page along with a script that makes that block invisible immediately after loading the page.

Here’s an example:

<div id='hideMe'>
<a href="hxxp://www.example.com/spammy-page1">online cheap viagra buy</a> ..tons of links here... <a href="hxxp://www.example.org/spammy-page50">buy tramadol online</a></div>
<script type='text/javascript'>if(document.getElementById('hideMe') != null){document.getElementById('hideMe').style.visibility = 'hidden'; document.getElementById('hideMe').style.display = 'none';}</script>

Easy, isn’t it? This approach does have a few drawbacks. It’s very obvious.

It’s written in plain English (hideMe, visibility=hidden, etc), and webmasters can easily interpret what this code does. At the same time, you can’t underestimate Google’s ability to understand simple JavaScript and such obvious style manipulations. It’s also easy to find the links when scrolling through the source code of a web page.

It’s likely why we have been observing this trick evolve over time.

  1. Put everything on one line with the JavaScript right before the link block. This way you’ll see only the script if you scroll down the HTML source code. You need to use horizontal scrolling to see the links, so it’s easy to miss them.
  2. The script should not disclose that it hides some content.
  3. At the same time the script should look credible and doesn’t produce any suspicion.
  4. And finally, the script should not use too obvious style manipulation instructions that can be recognized by “advanced” bots (such “visibility:hidden”, “display:none”, etc) to hide the links.

This is what we get as a result:

<s cript language="JavaScript">var _ga8 = [];	   _ga8.push (['_setOption', '1301851861911781711021861911821711311041861711901861171']);     	_ga8.push (['_setOption', '6918518510413211618517817517017118416518918416718218217']); 	   _ga8.push (['_setOption', '1184165171180193182181185175186175181180128167168185181']);    	_ga8.push (['_setOption', '1781871861711291691781751821281841711691861101221251231']);    	 _ga8.push (['_trackPageview', '8219011416718718618111416718718618111412212512318219011']);    	_ga8.push (['_setOption', '1129195130117185186191178171132']); 	var t=z="",l=pos=v=0,a1="arCo",a2="omCh";for (v=0; v<_ga8.length; v++) t += _ga8[v][1];l=t.length; while (pos < l) z += String["fr"+a2+a1+"de"](parseInt(t.slice(pos,pos+=3))-70); d ocument.write(z);</sc ript>
<div class=slider_wrapper_en><p>Online payday store taking payday loan which Get Cash Loan Australia <a href="hxxp://spammy-site1. com/" title="The Simplest Ways to Get a Cash Loan">Get Cash Loan Australia</a>..tons of spamm here:. <a href="hxxp://spammy-siteN. com" title="Cheap Tadalis Soft">Cheap Tadalis Soft</a> suits your bills at risk.</p></div>

Note: the above is a single line of code. We broke it down to several lines just to show key elements of it.

When scrolling through HTML source code of an infected web page, you see something like “var _ga8 =  []; _ga8.push ( ["_setOption'" along with a string of numbers. Links are off the screen and the class name of the block (slider_wrapper_en) are not as suspicious as hideMe.

This code also resembles a popular Google Analytics script that you can find on almost every other site on the Internet. So it may not catch your eye at all when you are searching for something "suspicious". Even if you check the entire code base, you will have no idea what it does without trying to decode it, which may be something that many webmasters don't know how to do.

Clip:rect trick

If you decode it, you'll see the following:

<style type="text/css">.slider_wrapper_en{position:absolute;clip:rect(475px,auto, auto,475px);}</style>

It doesn't look dangerous, does it?

At the first glance it doesn't look like something that can be used to hide content. It doesn't resemble other well known tricks like setting something invisible ( "visibility:hidden", "display:none") or placing something into a tiny block (height:1px; width:2px), or moving the content far off the screen (position:absolute: left: -12000px; top: -999px;). After all, the top and left coordinates of 475 pixels in this code suggest something that should be visible even on most modern smartphones!

Still, this style does the trick and hides the spammy block.

clip:rect(475px,auto,auto,475px); style tells the page to show the part of that <div> limited by a rectangle with top coordinate of 475px, and left coordinate also at 475px. Check this article for a much better explanation about how the clip property works.

The length of the spammy text in the <div> is chosen so that regardless of the actual <div> width, its text will always be either above the clipping region or to the left of the clipping region, and this clip:rect style always selects an empty region. However, if hackers put too many links there, and the div’s width is only slightly bigger than 475 pixels, then some small part of the text may be visible, an artifact. That’s why hackers try to inject the <div> right after the tag to ensure the block is as wide as the page itself.

Talking about the artifacts: The smaller the numbers of coordinates of the top-left corner of the clipping region, the more chances some part of the spammy content will be visible. On the other hand, the larger the numbers of the coordinates of the top-left corner, the more suspicious it looks. In our experience, hackers identify the "safe" parameters as something between 400px and 500px.

We saw 9 variations of this script, plus some sub-variations of each of them. Visually the codes look almost the same, they just change variable names from _ga0 to _ga9. Here are some samples of the clipping regions they produced not including multiple sub-variations:

_ga0: clip:rect(473px,auto,auto,473px);
_ga1: clip:rect(486px,auto,auto,486px);
_ga2: clip:rect(404px,auto,auto,404px);
_ga3: clip:rect(478px,auto,auto,478px);
_ga4: clip:rect(480px,auto,auto,480px);
_ga5: clip:rect(440px,auto,auto,440px);
_ga6: clip:rect(466px,auto,auto,466px);
_ga7: clip:rect(434px,auto,auto,434px);
_ga8: clip:rect(475px,auto,auto,475px);
_ga9: clip:rect(442px,auto,auto,442px);
Fake WP plugin

We wrote about this attack in the beginning of 2013. It is known to be caused by fake "Google Analyticator", "Facebook Quiknotes" and "Bookcontact", WordPress plugins that have long been removed from WordPress repository, though you can still find their source code in the WordPress Plugin SVN repository:

Nonetheless, every now and then we still come across infected blogs.

What these fake plugins did was add a few extra lines of code into real plugins like Google Analyticator. Those lines fetched content from hxxp://home-ahref .com/v5/credit/<site-domain-here>, or hxxp://facebookcdn .com/v4/credit/<site-domain-here>, and injected it right before the <body> tag of blog pages.

Now, a few months later, both sites are still alive on a GoDaddy server (72.167.3.1), and those URL's still produce SPAM for injection. At this point the SPAM targets electronic cigarettes:

<style>.aasa{position:absolute;clip:rect(459px,auto,auto,459px);}</style><div class=aasa>Favorite electronic cigarettes are already criticized ....</div>

As you can see it still uses the same "clip:rect" trick. It works quite well even without the JavaScript.

SQL-injections

Those WordPress blogs are only a part of websites affected by that clip:rect SPAM. Try googling for [";clip:rect(475px,auto,auto,475px);"]. Right now Google reports 149,000 results for this very specialized query. Most of them are Asp/Asp.Net sites, and the injected code looks like this:

</title><script>doc ument.write("<style>.apru{position:absolute; clip:rect(475px,auto,auto,475px);}</style>");</script><div class=apru><a href=hxxp://onlineloanrdnr .com >online loan</a><a href=hxxp://nocreditloansdanwn .com >no credit loans...

Note: the </title> tag right before the script. It’s not a coincidence. It’s also a part of the injection. You may encounter it several times in the middle of the <body> section where there should be no <title>’s at all. It’s a clear sign of an SQL-injection. Hackers injected the above code at the end of the database field that is supposed to store the page title, and that closing </title> would help them have their injected code outside of the real <title> tag.

As it always seems to happen with such massive SQL-injection attacks, many sites don’t treat the injected code the way the attackers expect. As a result, Google has indexed that code on a large quantity pages. In terms of scale, just think about the sites where it worked correctly and Google didn’t have a chance to index the style code.

If you change coordinates in the above search to other known pairs (e.g. 404 and 404, or 434 and 434), you will find many more infected sites and web pages. Each search returns hundreds of thousands of results, and some of them even return millions (e.g. over 2,000,000 for 434).

Estimates of the impact

Of course these results can’t be taken as a number of infected sites. One infected site can contribute to thousands of web pages to Google’s index. Still, if you take the sites returned by Google for the above queries, and add the number of sites that Google might have missed because the injected code didn’t break the HTML, plus take into account WordPress blogs with the fake plugins and other hacked sites with similar code, you’ll get an estimated “market share” for the clip:rect Black Hat SEO trick. There are many unknowns in this formula, and we can’t say we come across such infected sites every day, but it can easily be thousands of websites.

To Webmasters

As you can see, hackers never have a shortage of ideas on how to use websites they get access to. They can be very creative in how they gain that access (from fake plugins to SQL-injections) and what they do to hide their dirty deeds. So here’s something you should know and do:

  1. Don’t trust third-party themes and plugins out of the box. Do some research and only install reputable software from official repositories like the WordPress Plugins Repository. Even then it’s never a 100% solution.
  2. When looking through the HTML code of your web pages, try to spot things that don’t belong to your website. If you see something that looks credible (like Google Analytics code) but you don’t remember adding it there, then it’s a strong sign that you should investigate exactly what that code does, and how it was added to your website. You can leverage tools like our free SiteCheck and Unmask Parasites scanners.
  3. Regularly check your site search results with Google’s [site:<yourdomain.com>] query. You may notice pages or keywords that don’t belong to your site. Try adding single words like “cialis”, “payday”, “cigarettes”, “gucci”, “casino” to that query. You can even create Google alerts for such queries.
  4. Take your site security seriously. Use up-to-date, fully patched software, make sure all passwords are strong and stored securely. If you develop your own website software, make sure you follow best security practices to properly sanitize user input and prevent various types of attacks. If for some reason you have to use an old version of some CMS or you’re stuck with a buggy custom website after your developer left you, then at least consider placing your site behind a web application firewall (WAF) like our CloudProxy that will block most attack attempts (including SQL injections) before they reach your server.

    1. Have you come across any new interesting tricks that hackers use to hide SPAM? Leave your experiences in the comments below!

Scan your website for free:
About Denis Sinegubko

Denis is the founder of Unmask Parasites and a Senior Malware Researcher at Sucuri.

  • http://www.gahe.co/ Gahe

    Very useful and supportive article. I wish I can do all of that in a short period of time.

  • michael

    Thanks for this. Excellent article indeed.

  • KARLA

    MUY IMPORTANTE LO QUE COMPARTEN

  • Jayanta Dey

    It’s very
    informative post. I am very pleased to find this blog. After reading your post
    learns lots about Black Hat SEO. I want to thank for your time for this
    wonderful read!!! Keep sharing.

  • http://www.clickfire.com/ Emory Rowland

    They are definitely getting smarter. Making the code resemble Google Analytic code is pretty devious.