How to diagnose and fix blackhat SEO branded keywords hijacking?

How to diagnose and fix blackhat SEO branded keywords hijacking?

Blackhat SEO branded keywords hijacking. Say whaaaat?! Oh, yes! Read about blackhat cloacking technique used mainly by scammers where your branded keywords are used to drive traffic to scam ecommerce sites. 

It all started with a large number of new external links pointing to one of our client’s websites and we’ll call them a “victim” from now on. 38 000+ links pointing to just one page, and there were plenty of others links pointing to other pages as well.  All in all – more than 500 000 new external links.

500 000+ backlinks

GWT incoming links

Links look fishy at first sight:

  • all links come from a domain of a topic completely  unrelated [bike parts/tools] to victim’s website [fashion retailer]
  • there’s a layer of redirection in the game
  • links redirect to a COMPETITOR’s website [in this case – a scam website with products related to victim’s website]
  • GET parameter resembles URL path structure of victim’s website
  • source domain is most likely hacked and being used as a host [infected host]

 

In this particular case, even Google is aware of the fact that the infected host is hacked:

Hacked infected host

 

It’s time for a bit of HTTP analysis… 

One URL is picked and analyzed:

capture-2015-05-22_008

As Google/GWT see it, it should have a link back to a valid victim’s URLhttp://www.example.com/brand-name.html

But instead, it redirects to a scam website [don’t buy anything from this SCAM site, you’ll see later why ;-)]:

http://www.stoneislandsshop.com/?keyword=http%3A%2F%2Fwww%2Esuperbiketool%2Ecom%2Fstois%2Fstois2015042107%2Easp%3Fmens%2Fadidas-black-stan-smith-trainer%2Ehtml

Of course, there are no backlinks to victim’s site on scam site. But how did Google got confused to properly index infected host’s URL and list that URL as a backlink?!

Let’s analyze redirects, or better say “redirects” step by step:

scam redirects

  1. [POST redirect] a link on infected host redirects using POST method to intermediate host [POST is important, as it stops Google from passing through]
  2. [CLOAKING] intermediate host [server side PHP script] then checks whether user-agent has “googlebot” – if so, it sets cookie. As page is rendered – it then redirects a client to a scam website using jQuery redirect [client side Javascript]  or to a Google is user-agent is “googlebot”
    <script src="js/jquery.1.4.4.js" type="text/javascript"></script><script>// <![CDATA[ if(cuslocked){window.location.href="http://www.google.com/";}else{window.location.href="http://www.stoneislandsshop.com/?keyword=";} // ]]></script>
  3. “cuslocked” – cookie that signals whether agent is googlebot or not
  4. [REDIRECT to a SCAM site] HTTP code 200, again – probably to avoid being detected as 30x redirect(s)
  5. SCAM webiste is loaded

As you can see, no 301 or 302 redirects.

Now we can create a list of all parties involved in this scheme and connect the dots:

  •  Victim[this might be you! 😉]
  •  Infected host [superbiketool.com] [some random, poor hacked website]
  •  Intermediate host [www.2015fashionnews.pw] [another poor random hacked website, or incautious scammer’s as in this case – explained later]
  •  Scam site [www.stoneislandsshop.com]

 

WHY this particular cloaking technique and how does scammer benefit from it?

  • Scammer has set up a topic ecommerce website [brand fashion store that looks like a real one].
  • Scammer knows that there are stores that are known for having that particular brand [victim], and that there are users performing a brand keyword queries  on Google
  • Scammer scrapes and recreates the whole victim website [with cloaking]
  • Scammer creates redirects that point to scam sites [making sure that Google is not redirected]

 

Wanna know how it looks in practice?

  • Victim site, but that might be you as well] is well known for selling products of Stone Island fashion brand (among others)
  • Scammer has set up a SCAM site that mimics a popular brand name store [stoneislandsshop.com]
  • Scammer has found/hacked some website[s] that is/are used as a cloaking host[s] site that will be indexed by googlebot [http://www.superbiketool.com/stois/stois2015042107.asp?*]
  • Victim site is scraped and content is recreated on a cloaking website [with all the branded keywords]
  • Googlebot indexes cloaked website [Googlebot can index content, as it’s not redirected as other user-agents]
  • User performs branded query [related to a victim] on a Google and get scam website high in SERP [due to the fact that indexed content is really related to a victim/brand]

Example:

Google: “adidas black stan smith victim’s brand name

Since query is performed including victim’s branded keyword “brand name”, scammer’s website is positioned very high in SERP.

 

How to protect and fix:

 

Related Inchoo Services

You made it all the way down here so you must have enjoyed this post! You may also like:

Magento 2 SEO Expert Advice Straight To Your Fingertips Lucija Majstrovic
, | 3

Magento 2 SEO Expert Advice Straight To Your Fingertips

What Is Link Building: Link Building Basics 101 Davorin Cernoga
Davorin Cernoga, | 6

What Is Link Building: Link Building Basics 101

How accurate is fresh data in Search Console reports? Davorin Cernoga
Davorin Cernoga, | 1

How accurate is fresh data in Search Console reports?

4 comments

  1. SERP Hijack is still very much in action even today and google is so tight lipped about it. Are they embarrassed ?
    You can read more about serp hijack at my blog : http:/scrapelink.com

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <blockquote cite=""> <code> <del datetime=""> <em> <s> <strike> <strong>. You may use following syntax for source code: <pre><code>$current = "Inchoo";</code></pre>.

Tell us about your project

Drop us a line. We'd love to know more about your project.