Friday, August 7, 2009

Raking in the Cash - A Look at BlackHat SEO

Over the last several days I've been digging into the Black Hat SEO world... and some of the techniques that the dark side likes to employ to draw clicks and eyeballs to their sites. Whether they're serving up an online pharmacy selling Tramadol or Viagra, or performing drive-by malware installations or even pushing fake video codec malware through porn downloads... this is a big business that makes many times the money many of us make in our day-jobs.

In the final analysis... all of these techniques depend on poorly written code on the site that's being abused. Site that use injectable CMSes (via content injection such as SQLi or other techniques) are the biggest target since you can rather easily fingerprint the CMS and then google its fingerprint ... then write a quick automated script that'll crank out injections all day long. Here's one perfect example on, which appears to be using Movable Type CMS (follow this link [http:||] at your own risk, NoScript recommended).
What's interesting is that this is a user-content driven site, which has a pretty good page-rank [Ranked PR6] according to What this means is that Google's magic search engine formula is more likely to index this page and thereby bring users to a page like this... with the redirect. As you can see, the redirect goes to a Russian site (shocking that the Russians would be involved in organized exploitation like this... no, really); which if you do a little simple digging - has a huge presence in the Interwebs. Check this out, a Google of the link (http:||upop.ru_/in.cgi?7&parameter=Tramadol) brings up a mountain of sites that have been "injected" with this link. While many of these are comment-spam inserts (think X-Rumer ... from my previous post), there are plenty of instances where the injection just flat-out fails to launch... but the point remains clear -there are automated scripts out there that are hitting sites with this link.

One such injections, on [which has a PageRank of 4], is obviously a broken attempt to create a profile which is injected with the page-link... http:||

At any rate... the problem is obvious. Poorly coded sites that allow HTML links, and other gaping holes in them are fodder for these types of injections. You have to try and rationalize the reason for this type of attack. Are people actually making money off of injecting links into random sites?

The answer is yes... on a mass scale. Per unique visitor on the Tramadol keyword, a spammer is likely to pick up over $1USD. That's per click... the PPC (pay-per-click) for this specific keyword is about $6USD/click. Of course, the source also reveals that this is one of the most difficult keywords to rank (be high up in the Google search results) for... meaning, attract people to. Think about it... a successful injection of a well-ranked, well-trusted site with a high volume of daily traffic can possibly net you well over $1MM USD/month.

The problem doesn't end there. Keep in mind that links like this sometimes also deliver payloads... trojans which drop malware in droves. The economy for this is booming.

With vulnerabilities on the web sites multiplying like bunnies in May, gullible users clicking on fake video codecs, and 0days for a fully-patched Vista/IE8 a-plenty... how does one not make buckets of cash?

Mitigating this "problem"? Let's start with writing more sensible web sites, and maybe getting Google's engine a little more intelligent - but beyond that there isn't much you can do... and that's a sad, sad statement.


Anonymous said...

if someone (i can) rank for buy tramadol that also means they can rank for just about any pill or porn keyword they like, pill keywords going to russian cpa networks or tier 2 ppc networks, porn keywords going to malware related stuff, 1$+/unique on average for pills, 10-20c/unique on average for porn, you can make a nice bundle out of this stuff if you push it right and theres no reason once your setup you cant be ranking for 1000 different keywords all at once and sending the traffic for each of the keywords to what pays the best for them

so did you people who read this take the red pill or the blue pill? you still in the wonderland where your security you implemented is leet and noone will break in? still think that spending 1000's of hours on a single site will make you good return for the work? think that because you have the better site you make more money than others?

"welcome to the real world"

Rafal Los said...

@Anonymous - First off, I think you and my source would have a lot to talk about. Second, I'd be interested to think what you feel the biggest contributor to your successes is? I think it's easy to make fun of those doing the good work of trying to protect people (often from themselves) - and failing quite often. I think there's a point to be made here... seems like you're saying that the good guys should... what... just give up and come join you on the dark side?

Anonymous said...

im saying those that are convinced that the white path is the right path are naive, the less taking the black path the better for me though honestly most people plain dont have the skill to take the black path, to do blackhat properly you need to be a programmer or have one who you are willing to entrust with your ideas and who is capable of breaking captchas for you and so on without worrying about the person selling the code or using it themselves, plus you need to understand split testing and statistical analysis to get the most out of it (afterall, whats the point of doing this work if your losing 40% of your potential profit because you didnt do some basic stats work!)

just because someone spends time, money and effort on their whitehat work doesnt mean that they will stay ranking #1 for the term they are ranking for or that they will continue to make good revenue from it, whitehat work on the web is generally very slow to react to trends, i on the otherhand monitor trends daily (well, realtime but i aggregate them and daily i update what im targetting) and can instantly launch 100 sites on any niche i want in a matter of an hour of cpu time on a single server, a whitehat will write articles, build links by hand, write unique content... this all takes time and by that time im already making money from it

pick whatever side you like but i know that most sites that get in my way in the serps i can either overtake with little effort or blacklist the domain entirely and bingo the keyword is then mine, dont think it will be as easy to get my domain blacklisted as it was yours either, just because i do things automated doesnt mean i do them worse than you...

and hey, when was the last time ya's got a notice or a ban from google for too high ctr's or missing a dammed privacy policy or some other jibberish like that? tier 2 ppc networks are HAPPY to see 60% ctr's... and they pay... and they dont care that i do blackhat techniques to do it!

really, whitehat is for those who dont know any better or cant learn any better, by now im sure everyone who is reading this hates me but these are just real pieces of data, you can like me, you can hate me, but i have stats to back up everything i have put here...

is it really just morals stopping a bunch of people joining the dark side or what? come on people, you should realize theres better ways to make money online than working on a single site for years

go look for youself at some of the fun you can have