Pharma hack SEO link-spam hitting 30 per cent of top 100 results
Watch out, watch out, there's a link spammer about!
When researching possible future clients for our PR agency, one of the things we always check out their site in terms of how well it is optimised for SEO and this can sometimes lead to interesting surprises. One such was a UK trade association, where upon digging into the site we unearthed a nasty bit of 'black hat' SEO link hacking-spam, related (it appears) to that found by Rishil on his post about a link hacker.
Upon digging further, we found that when we searched for a phrase the spammers were targeting we found that 30% of the top 100 search results returned by Google were sites that had in some way been compromised without the (apparent) knowledge of the site owners. (If you're interested, the search was for a pharmaceutical product - think little blue pills for men online.)
It seems there are many, many sites still out there suffering from this hack and sadly, the spammers are using these techniques to score high results in serches for competitive pharmaceutical-related phrases.
While protecting against these attacks can be difficult (some sites were hit multiple times after being 'cleaned up') - you can at least protect yourself to some extent by ensuring that you are alerted should your site be compromised.
If you're a busy reader here's this article in a couple of lines:
- Your website is valuable and there are bad people who will be happy to take advantage of it for you
- Those bad people, well they're smart and you may not spot it if (and when) they do compromise your site
- If your site is hacked, the higher profile you are, the more embarassing the result
- Fortunately, it's relatively easy to get alerts when your site is compromised, as a bare minimum, set up an alert: use Google Alerts
- If you can, keep your site and plugins up to date.
To check your site for this particular scam, simply type site:[your domain name] "bad word" into a google search to see if there's anything suspect on your site. Replace 'your domain name' with your site name, e.g. if it were amazon in the UK, you'd enter amazon.co.uk, replace 'bad word' with your bad word of choice, a common one used by the spammers is vi*gr* (replace the asterisks with the letter a and put the entire 'bad word' in double quotes).
If you've got a bit longer, take a look at the image of the search engine results page (SERP) below. Ever heard of the Centre for Policy Studies? It's an influential UK think tank, check out their entry in the SERP (the one below the CPS is the University of Ediinburgh School of Engineering). Note, these are quite old results (pre-Christmas 2012) and thankfully at least one of the sites responded to our notification and has addressed the issue. Sadly, many other site owners that we've contacted haven't fixed their sites.
(Why the Bentley Drivers Club website appears on page one for this search I have no idea...)
If you're affected by this pharma hack, here's what to look for
A number of site owners that we contacted about this problem were kind enough to provide further information about what had been changed on their sites, in most cases it seemed to be changes to the .htaccess file. Common changes include redirects like this one:
RewriteRule ^.*$ /wp-includes/images/image.php [L,NC]
where the image.php is a file that was added by the hackers. Another site had the following added to .htaccess (if you know how to read these files, you'll see that the planted code only works when the visitor is coming from Google, AOL or Yahoo):
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR]
RewriteCond %{HTTP_REFERER} (google|aol|yahoo)
RewriteCond %{REQUEST_URI} /$ [OR]
RewriteCond %{REQUEST_FILENAME} (html|htm|php)$ [NC]
RewriteCond %{REQUEST_FILENAME} !common.php
RewriteCond /home/xyz/public_html/common.php -f
RewriteRule ^.*$ /common.php [L]
</IfModule>
Again, the final file (common.php) was planted.
One custom-built site running on PHP was attacked multiple times with many blank lines inserted in the htaccess file so that changes weren't obvious...they even started changing permissions on the site to make it more difficult for the site owner to fix things!
Spot when your site has been compromised
It's easy, go to: http://www.google.co.uk/alerts?hl=en and create an alert like this site:yoursite.com ("pharmacy"|"cialis"|"viagra"|"xanax"|"levitra") replacing yoursite.com with your own site's address.
By doing this, you'll get an alert email if and when your site is affected by this hack and can take steps to address it.
Further reading
Redleg's blog has some great information about this and other attacks, I recommend you read it if you'd like to find out more and in particular this post has some great info on the pharmacy hack.
What do you think about this hack, has your site been affected or can you think of a good way to get site owners to take notice? Let us know in the comments.
