Blackhat Link Building: Payday Loans, Link Injection and WordPress

Most blackhat link building tactics that you see in forums these days have been around for years and are not blackhat in my opinion. These are greyhat tactics, they are not illegal, just outside of Google guidelines.

Typical stuff you see is:

Comment spam using GSA
Link networks
Private blog networks (PBNs)
Tiered link building
etc etc

I used to do loads of this type of stuff, but over time prefer building quality for my own sites and for clients. I’ll still play with some new stuff I see on test sites, this should be standard as an SEO even if you are holier than the holiest.

True blackhat link building is based around illegal activities, primarily hacking websites and placing links on the sites.  Link building that you could be arrested for under the computer misuse act 1990, though most of this act relates to stealing data.  But there is a another link building method that skates very closely on the blackhat edge- link injection via scripts.   This type of link building is scaled commercially by the Russian link network SAPE.  The network consists of 90,000+ sites all with the link injection scripts on them, mainly placed on them knowingly by webmasters or administrators that manage the sites. A small percentage of the sites are actually hacked and the link injection script placed on them.

Another way link injection scripts are added to sites is through vulnerable plugins, particularly on the WordPress.org platform.

Link Injection Case Study Example

The recent example I’ve seen was in the payday loan niche. One website was ranking #2 for a long time with seemingly only a handful of links. “How the fuck are they there?” – an SEO’s daily conundrum.  Initially I thought it was from shitload of cross-domain canonical links which are not picked up by any link analysis tools.

The domain in question was paydayloansnow.co.uk. Google has finally caught up with them and they’ve received a monster slap, totally banished from the SERPs.

After some digging, I discovered the site’s SERP position was being propped up by backlinks injected into websites, then cloaked so only Google could see them. The site owners would have been totally oblivious to what was going on.

Example:

Oracle Finance – as seen by users and domain owner

What Google was seeing:

Now the hack has been sorted and the cloaking turned off, Majestic started quickly picking up the lost links.  These were previously hidden from all link analysis tools:

How was it done?

It looks like the links were inserted into websites from a WordPress plugin (404-301) , highlighted by Wordfence in this article – a plugin with 70K installs.  Wordfence stated that the sites were not technically hacked, as you had to agree to the following to download the plugin:

By clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it.

I have spoken to the developer, who is mortified, and he pointed me in the direction of his response.  It seems like he was totally unaware of what was actually going on when he teamed up with another developer.

Though the sites were not technically hacked, it’s still beyond grey and verging on the black.  You won’t go to jail for this kind of stuff and the owner probably made some decent cash in the #2 position. The site is part of the Quint Pingtree which pays from £0.50 – £120 per lead. Form submissions are sent to a range of the top payday loan providers who bid on them depending on the quality of the lead.

Update: I’ve had it on good authority that the site should have been making around £10k/day – that’s from someone who has been in the niche for years and made a lot of money.

Though the sites were not technically hacked, there are plenty of other link injection scripts being placed on sites through hacking, mainly through vulnerabilities of the CMS.

WordPress Vulernabilities and Link Spam

Of all the content management systems (CMS) on the market, WordPress is by far the most vulnerable to attacks. Infact, WordPress is a complete joke.

Source

The rise of hacking has increased dramatically over the last few years, mainly for seo spam.  Though some hacks are done for Ad injection, spread malware, just to deface and even reports of ISIS hacking sites to spread propaganda.

Sucuri also breaks down how these hacks were carried out and the most used plugins.

Woprdpress Plugins – The weakest link

Source

Google’s algo cannot keep up

Though Google sometimes can detect website hacks/changes most often they don’t.

You only have to search for ‘buy viagra’ and refine search to last week to see recent hacks.

Link and content injections can be spotted using waybackmachine and Google’s cache of website.

Before
https://web.archive.org/web/20131207081038/http://silvers.ca/silvers.ca/Home.html

After
http://webcache.googleusercontent.com/search?q=cache:p_BSIK_RqVUJ:www.silvers.ca/+&cd=1&hl=en&ct=clnk&gl=uk

Google really needs to do better with this type of link spam – surely it’s not that hard for them to detect website changes through hacking or even link injection scripts.  But as they continue to work, people will keep using these methods. Let’s see what the penguin 4.0 has to offer.

Secure your WordPress site

I’m not going to write about securing your site there are plenty of good posts out there, but here is a good quick checklist >  Wordfence’s checklist

Tools to scan the vulnerability of your website

Securi site check – if you are running a large, profitable site I would recommend investing in their paid options.

Hacker target wordpress scan

Wpscan

WordPress exploit scanner plugin

Further reading

https://www.blackhat.com/docs/us-16/materials/us-16-Nakibly-TCP-Injection-Attacks-in-the-Wild-A-Large-Scale-Study.pdf

https://www.imperva.com/docs/Imperva_HII_Black_Hat_SEO.pdf

http://null-byte.wonderhowto.com/