Bot Herders Use SEO for Massive Search Spam - Anatomy of an Automated Ambush
(Page 2 of 4 )
One of the first things that any SEO learns about optimizing a web site is the tremendous value that Google places on incoming links. Every link to a site from outside is treated like a "vote" for that site, saying that its content is relevant to the content of the linking site. That's an oversimplification, of course; Google looks at more than 50 factors in the algorithm it uses to decide a web site's position in the SERPs. But incoming links still wield quite a bit of influence, and that's the "Achilles heel" at which this attack was aimed.
Sunbelt said that its research team had been monitoring a particular bot network for several months. These compromised computers single-mindedly pursued the task of posting spam links and relevant keywords to online forums and in comments to blogs. The massive amount of posts gave the malicious web sites a huge number of incoming links with the targeted keywords as anchor text. As a result, the malware-containing web sites achieved positions that were close to the top of the SERPs for their chosen search terms.
The hackers and bot herders weren't doing it just to be mean, however. Like those of us who do white hat SEO for our businesses, they're in it for the money. Sunbelt reported that the malware-serving pages contained an iFrame link that tried to infect systems with a nasty piece of code the security company refers to as "Scam.Iwin." Once infected, a vulnerable computer with Scam.Iwin generates false clicks for a pay-per-click affiliate program without the computer owner's knowledge or consent. You have to love it - malware, botnets, and click fraud, all rolled together. All we need to make it really complete is the Mafia.
While there is no word on the size of the botnet that planted the seeds for this attack, we do know that more than 40,000 sites hosted the malware in question. We also know that Scam.Iwin is used to load malware for other groups, such as the Russian Business Network (RBN), described by Computer World as "a notorious malware and hacker hosting organization." Additionally, according to Sunbelt, most of the domains were Chinese registered, hosted in the United States, and only a day or two old.
Google would not specifically confirm or deny that it cleaned its results, but Sunbelt noticed by late Wednesday (November 29) that most of the nasty sites seemed to have disappeared from the search engine's results. Nobody thinks this will be the last attack, however. In fact, Sunbelt reported that it is already seeing signs of another attack being prepared.
Next: A Second Wave? >>
More Search Engine News Articles
More By Terri Wells