Analysis of a Malicious Blackhat SEO Script

  • April 26, 2018
Analysis of a Blackhat SEO Script

An enormous number of SEO spam infections are handled by us here at Sucuri. In our most recent hacked website trend report, we analyzed over 34,000+ websites and identified that 44% of all website infection cases were misused for black hat SEO spam campaigns.

Once a website has been compromised, attackers often use it to distribute malware, host phishing content, send spam emails, and a variety of other nefarious purposes. This can be significantly devastating to a website’s reputation, user experience, and credibility.

Spammers often employ special tools to identify high-ranking sites and leverage vulnerable websites for quick and easy SEO, which makes websites with an outdated CMS, plugin or theme especially so, easy targets.

SEO Spam on the Rise

Recently, we’ve noticed an increase in cases where compromised sites are being injected with malicious content to drive traffic to spam websites directly or through hidden links. This blackhat SEO technique is largely used by spammers to increase their client’s rank on search engines, like Google.

While investigating one of these cases, we found a randomly generated folder of text files that contained templates of pages along with iframes leading to malicious websites. We also found the malicious script responsible for generating those pages.

This script does all the heavy lifting for attackers by generating spam pages with the links and iframes for the keyword the attacker has defined:

Blackhat SEO Script

The script also employs an external service, like pingomatic.com, to ensure that all search engines are notified to crawl the new spam pages, providing the attacker with quick, easy SEO and rankings.

Third party service used to index SEO spam

In some cases, we have also seen sitemaps being generated and included in the robots.txt file, allowing search engines to find those spam pages and index them.

Mitigating Risk & Recovering from SEO Spam

Keyword spam can be devastating for a website. In the majority of cases, search engines like Google detect these malicious pages, blacklist the website and notify the webmaster that there is spam. This in turn impacts website visitors, ranking, and reputation.

To mitigate the risk of being targeted by bad actors looking for easy SEO opportunities, we highly recommend that you keep your CMS, themes, and extensions up to date. You can also leverage a cloud-based WAF to virtually harden your site and patch outdated software. This will prevent exploit requests from ever reaching your web server.

If your site has fallen victim to keyword spam or has been blacklisted, we can help. If you prefer to do things yourself, we’ve put together a guide on how to remove a Google Blacklist and recover your site.

Krasimir Konov is Sucuri's Malware Analyst who joined the company in 2014. Krasimir's main responsibilities include analyzing malicious code, signature creation and documentation of malware. His professional experience covers more than 10 years in the IT field, with nine years involved in IT/cyber security. When he’s not analyzing malware or writing Labs notes, you might find Krasimir riding his motorcycle and traveling the world. Connect with him on Twitter or LinkedIn.

Related Tags
Related Categories
You May Also Like