Analyzing Proxy Based Spam Networks


We are no strangers to Blackhat SEO techniques, we’ve actually spent a great deal of time working and sharing various bits of information related to Blackhat SEO techniques over the years. What we haven’t shared, however, is the idea of Proxy-based Spam Networks (PSN). It’s not because it wasn’t interesting, it’s just not something we’d seen that often, or at all. As is often the case in the website security, techniques continue to evolve, they’re mastered and as such the space changes and it’s on us to understand, dissect and of course, deliver that information to each of you.

This naturally brings me to the latest trend we’re seeing, while difficult to quantify (you’ll soon see why) we have started to see and experience interesting configurations in which Blackhat SEO actors are employing the use of reverse proxies to:

  • Hijack and rank for your content.
  • Leverage that ranking for their own SEO needs (often with nefarious intentions).

Read More

RSS Reveals Malware Injections

There are multiple different ways to detect invisible malware on a website:

  • You can scrutinize the HTML code of web pages.
  • Use external scanners like SiteCheck or UnmaskParasites.
  • Get alerts from anti-viruses or search engines (both in search results and via their Webmaster Tools).
  • Try to open web pages with different User-Agents and check for changes.
  • Sometimes it is even helpful to open a page using a script blocker (the disabled scripts may hide spammy links injected into web pages).

It’s not a definitive list and sometimes we see some interesting ways that malware reveals itself. This time I’ll show how a fake WordPress plugin that was injecting invisible links to a porn site unmasked itself in via RSS feeds.

Read More

Combat Blackhat SEO Infections with SEO Insights

Blackhat SEO spam is the plague of the internet, and the big search engines take it seriously.

One of the worst spam tactics on the internet is becoming more common every day: innocent websites are hacked, and their best pages begin linking to spam. These Blackhat SEO spam tactics are fighting for expensive, high-competition keywords like: viagra, payday loans, casino… and lately a lot of high fashion spam.

This is a topic we write about often – it is rampant, after all. This time we’re going to dig into why it happens, what makes your site such an attractive target, and the SEO tools that can help you.

Read More

Spotting Malicious Injections in Otherwise Benign Code

Being able to spot suspicious code, and then determine whether it is benign or malicious is a very important skill for a security researcher. Every day we scan through megabytes of HTML, JS and PHP. It’s quite easy to miss something bad, especially when it doesn’t visually stick out and follows patterns of a legitimate code.

Let’s take a look at this screenshot:

seo-position-report .net  - Good or Bad?

seo-position-report .net – Good or Bad?

We can see two scripts at the bottom of the HTML code. The scripts are not obfuscated, have variables with clear names (seoJsHost, amount, orderId) and comments. The structure and placement of the scripts resembles Google’s scripts (e.g. Google Analytics). And we can see that the first script loads a JS file from “seo-position-report .net/SEO-report/js/seoTrac.js“, which suggests that it’s some kind of SEO tracker.

So far so good. There are many little-known third-party trackers — it’s probably one of those. It’s typical for them to load additional scripts from their sites.

The second script most likely configures the code loaded by the first script and prepares it to work with the current site. Quite plausible. So nothing suspicious — let’s move on to the next file…

Stop! Not so fast. You should not trust the code that you see for the first time. Let’s dig deeper, what exactly does the seoTrac.js do? Here is the complete source code:


It’s a page redirection code. It always redirects visitors to that page. This is not an expected behavior for a script that positions itself as a tracker. Moreover, this redirect prevents execution of the second script.

Now it’s clear that both scripts are simply masking the unwanted redirect and can be considered malicious, regardless of what that does. By the way, currently it redirects to various ad networks which point to scam ads, adultfriendfinder, and sometimes to parked domains.

Don’t Judge a Book by It’s Cover

What looked quite benign at the first glance, ended up being malicious after a more thorough analysis. So don’t be fooled by the look of code. Scrutinize everything that you can’t recognize.

As a website owner or webmaster, you should be familiar with all the third-party scripts that your website uses so that you could easily spot anything that doesn’t belong. I realize, that it may be not trivial for modern sites that use dozens of different scripts. No problem, you need to employ some sort of integrity control for your site. For example, use a version control system, or simply compare (e.g. diff) server files with canonical backup copies. This way you’ll eliminate the “human factor” and won’t need to rely on your code reading skills only.

Website Security: A Case of SEO Poisoning

There are so many ways your website can be co-opted by hackers for many different reasons, targeting the value created via your SEO is highly attractive. It provides an attacker the opportunity to cheat the system by quickly benefiting from your raw traffic, your audience. In this post we will share details of a recent case in which an attacker leveraged a websites organic traffic to funnel, steal, traffic to their desired pages.

What is SEO Spam

SEO Spam is designed to use your search terms and traffic against you by infecting your sitelinks with references and links to things not on your site. This is highly effective in impression based affiliate marketing, in which the marketeer gets paid by impression. It’s what made the pharama hacks so lucrative a business. As this model continues to spread, into things like Fashion, Online Gambling, Payday loans we’ll likely continue to see an evolution in the employment of SEO Poisoning attacks.

Read More

Not Just Pills or Payday Loans, It’s Essay SEO SPAM!

Remember back in school or college when you had to write pages and pages of long essays, but had no time to write them? Or maybe you were just too lazy? Yeah, good times. Well, it seems like some companies are trying to end this problem. They are offering services where clients pay them to write these essays for you.

The problem is this is not only wrong, but it’s also becoming a competitive market where some companies are leveraging SEO spam to gain better rankings on search engines (i.e., Google, Bing). They are also using popular sites like and to add their spam links.

Here are a couple example URL’s from sites that got hit (URL’s are still showing spam):

Read More

The Story of Clip:rect – A Black Hat SEO Trick

We regularly write about Black Hat SEO hacks here. Such hacks help hackers monetize their access to compromised sites by incorporating them into massive schemes that try to manipulate search engine results for queries that potential clients may be interested in. Think of gray areas like: payday loans, pharmaceuticals, counterfeit drugs and luxury goods.

As you know, search ranking is all about the number and quality of inbound links to your site. To promote a web page, spammers need to place a link to them on as many sites as possible. This is why injecting spammy links into hacked sites is an important step for most Black Hat SEO schemes.

You can’t simply add links to someone else’s pages and expect that the site owner will tolerate it, so hackers make such links invisible to normal site visitors and visible to search engine bots.

There are many tricks they can be used to hide links. It can be a sophisticated server-side cloaking (detecting search bots by IP/UA and injecting the SPAM on the fly), or a simple HTML trick like setting styles to display:none. In this post, we’ll talk about something in the middle, a trick that involves deceptive JavaScript and creative use of CSS.

Read More

Website Malware – SEO Poisoning

We’ve been seeing a lot of cases of SEO poisoning as of late and felt it was time to spend a little more time explaining it. That’s what this post will be about.

SEO, short for Search Engine Optimization is all the rave these days. Anybody that owns a website and is trying to make an impact or working to improve their traffic has heard the term, and has undoubtedly become an SEO expert. If you’re not familiar with SEO here is your quick definition:

…the process of affecting the visibility of a website or a web page in a search engine’s “natural” or un-paid (“organic”) search results.. – Source: Wikipedia

Many organizations will actually enlist the help of marketing consultants to assist in this optimization process and ranking on the first page is highly coveted by many. In essence, if you are able to rank on the first page for a specific keyword, phrase, subject, etc… you have the ability to generate a lot of traffic to your site. This in turn increasing the odds of visits, and if you’re an e-commerce site often equates to purchases, and if you’re a services company often equates to new clients. The idea is simple and highly effective, and what is even better is that most search engines like Bing, Yahoo and Google offer set criteria’s designed to improve your ranking within their searches.

It all sounds pretty awesome right?

Read More