Spotting a Hidden SEO Hack: “Play One”

SEO hacks continue to plague websites as attackers abuse SERP rankings for their own gain. The time and effort spent by the website owner creating content, optimizing pages and building links is stolen by an attacker in an instant.

For many years, spam injections placed inside legitimate pages have remained one of the most prevalent types of black hat SEO hacks that we encounter. In fact, SEO Spam made up over 30% of the malware families we saw while cleaning websites in the last year. Hackers are constantly inventing new tricks to make spam invisible to human visitors while remaining indexable by search engines. Black hat tactics like these are becoming more complex in order to avoid detection by the website owner.

In this post, we’ll outline a simple evolution of tactics used by hackers to hide spam. These steps detail a specific case that we saw but can easily be used to identify similar attacks.

  1.  With SEO hacks, the least complex trick is to put spam content inside a <div> with the display:none style. This is quite straightforward and easy to detect.
  1.  A more complex evolution of the same idea is making the <div> invisible on page load using JavaScript code like this:
document.getElementById(‘spam-div-id’),style.display = ‘none’;
  1. Even with this added complexity, it’s still easy to see which <div> is being hidden with the above code. To distract from this, the next step in the obfuscation is a dynamic generation of the ID inside the code. We described this approach in the “Double Hidden Style” Labs Note a couple of years ago. Hackers use random “numeric” div IDs and mathematical expressions to generate them in the code:
<div id="232">...spammy content here...</div>

<script>document.getElementById(116*2).style.display='none';</script>
  1. The code still looks suspicious as it’s clear that it makes something invisible. Now the attackers make the hack trickier to notice immediately. They improve the obfuscation – in addition to a more complex mathematical expression. Now instead of the suspicious “display” and “none” you can only see benign “play” and “one”.
<script>(function(g,h,i,f){i.getElementById(f).style['dis'+g]='n'+h;})('play','one',document,214*102+105);</script>

The script remains short but it’s difficult for webmasters to spot what it does at first glance. However, when you look at it more thoroughly, you can notice that it does exactly the same thing – it hides an HTML element with a “numeric” id:

document.getElementById(214*102+105).style[‘display’]=’none’;

This is just one line of the spam-hiding code evolution. There are many other approaches that hackers use to hide spam injections from human visitors while abusing the page’s SEO. If you think you may be the victim of an attack, we are here to help you detect them and remove malware from your sites.

You May Also Like