Earlier this year an SEO link SPAMMER paid $15,000 for access to a very popular WordPress plugin with over 200,000 active installs, see my Display Widgets Plugin Review.
The SEO link SPAMMER added code to the Display Widgets plugin v2.6.* which gave them a backdoor into a WordPress sites database, basically the backdoor was used to create a dynamic Post on the sites with SEO link SPAM to payday loan companies etc…
Even though I posted about the malicious code (see link above) way back in mid-July (and another WordPress user also posted a WordPress trac ticket a few days after I wrote the above review), it took over a dozen emails to WordPress to final get WordPress to remove the malicious code from the plugin repository on September 8th 2017!
Unfortunately WordPress has been inept/incompetent in this matter and still haven’t pushed out a forced update to protect the tens of thousands of WordPress users they failed to protect.
I estimate 50,000 WordPress sites updated to the malicious plugin code before it was finally removed from the WordPress plugin repository in September!!! This will cost site owners their SEO rankings as Google finds the hacked sites and downgrades them! Every minute counts with cyber security, had WordPress forced out an upgrade on September 8th/9th (I sent them an updated file to use, they didn’t want it!) it would have protected some sites from being compromised. I’ve since released a Display Widgets Plugin Security Update and as you can see in the comments users are still being hacked!
Blackhat SEO Link SPAMMING
I’ve been working in SEO for over 15 years and have to admit my first steps into SEO (around the year 2000/2001) relied heavily on blackhat SEO link spamming techniques: nothing illegal- guestbook, forum and comment link SPAM which worked really well back then. I stopped using blackhat SEO link building techniques after my most important site was banned by Google (in 2001), but still try to keep up with the latest blackhat SEO techniques.
Last couple of days I’ve been researching cyber security and SEO link SPAM (not looked into it in great detail before) and found some interesting examples of hacked/compromised sites with SPAMMY SEO links.
A particularly good find is at least 300 webpages added to art.com which links out to Clickbank affiliate products: the links were live on September 23rd and based on research have been live since at least early July (over 2 months ago!) as I write this article.
Art.com Compromised with Clickbank Affiliate Link SPAM
Art.com is a multi-million dollar business, according to their Corporate About Page:
Having served more than 19 million customers in 150 countries, Art.com Inc. is the world’s largest online specialty retailer of high-quality wall art and complementary décor. The company was founded in 1998 with one goal – to help people find the art they love so they can love their spaces more. We’ve since increased our assortment to more than 2 million images and expanded who we serve to include national retail partners, museums, hotels, interior designers and more.
You would think they’d have decent cyber security, apparently not. This type of compromised page is relatively easy to find.
I won’t go into how I found this hack, I stumbled on a footprint blackhat SEO link SPAMMERS are leaving behind and if I post it here, the smart ones will adapt making it harder to find more hacked sites.
Checking art.com for Compromised WebPages
Check this Google site search: https://www.google.co.uk/search?q=site:https://www.art.com/+Clickbank
This searches the art.com site for pages with the word Clickbank, currently almost 300 pages indexed. This might not be all the compromised pages, this finds the ones that have mentioned Clickbank in the text (could be thousands more not linking to Clickbank products).
Slight SEO Tip Diversion
Anyone can perform this sort of check on their sites for obvious SEO link SPAM, searches for PayDay loans, Viagra and similar are going to stand out. For example this Google site search: https://www.google.co.uk/search?q=site:https://www.art.com/+PayDay lists 162 pages found, many of these pages are fine, but I see some comment link SPAM and one result led me to a gallery with hundreds of SPAMMY comments as far back as 2012.
The above is standard comment links SPAM added over a 5 year period, most of it will be automated and should be cleaned from the site: looks bad and Google might downgrade pages filled with SPAM.
Back to cyber security…
Opening the webpages with URL format: https://www.art.com/me/##########/ loads a webpage on art.com with an image link to a Clickbank affiliate product.
Clicking the links takes you to a Clickbank affiliate product: note the owner of the product is NOT responsible for these SPAMMY links, they haven’t done anything wrong. Clickbank is a legitimate business which allows products to be sold using affiliate marketing techniques. This is a Clickbank affiliate trying to make money by compromising sites like art.com with affiliate links.
View Source of the art.com compromised page shows a bitly short URL link (a way to make shorter links, but also used to semi-hide where a link goes).
As you can see in the screenshot above of the source code the Clickbank affiliate link is semi-hidden via a bitly link, you can also see the surrounding code is the normal art.com webpage code indicating the SEO link SPAMMER hasn’t hacked the art.com site per se, (they haven’t uploaded HTML webpages) but has presumably found an exploit in their membership system which allows them to add the above affiliate link code as part of the profile or something (will be stored in the database): I’m not an art.com member so no idea how their system works. Can guess whoever wrote the code behind the membership part of the site isn’t sanitizing the uploaded data allowing HTML code to be uploaded and output as HTML code (rookie mistake).
To track this further let’s see where the bitly link goes, take a bitly link http://bitly.com/2r4W4j1, and add view-source: like this view-source:http://bitly.com/2r4W4j1 and load that in a browser (Firefox/Chrome) to see where the link redirects to:
From this we have two important URLs, in the top browser bar a site that’s either owned or controlled (could be a hacked site) by the SEO link SPAMMER and where that page redirects to, which is a Clickbank affiliate Hop link.
From the Clickbank Hop link we can pull the Clickbank username: promotraf
The owner of the Clickbank account ‘promotraf’ is our SEO link SPAMMER and Clickbank presumably have the contact details and bank account details of our bad guy.
If you look through the compromised art.com pages and check the various bitly links you will find they redirect through multiple domains, but all the ones I tested used the same Clickbank account ‘promotraf’.
Looks like we have a prolific SEO link SPAMMER with a lot of sites.
SEO Promotion of Compromised Art.com WebPages
The link SPAMMER didn’t stop here, not much value having these pages on art.com without Google indexing and ranking them, so the link SPAMMER has been SPAMMING forums etc… with links to the art.com compromised webpages: they wouldn’t be indexed and potentially ranked in Google otherwise.
Indicates the link SPAMMER knows what they are doing SEO wise, a less sophisticated attack would stop at adding the compromised pages to art.com and hope Google would find them via the art.com membership system.
Going to the forums with the link SPAM (check the Googlecache, the forum owners delete most of it quickly) not only shows the links to the compromised webpages on art.com, but many other websites!
With minimal effort I’ve potentially tracked dozens of sites which have been hacked/compromised by the SEO link SPAMMER who owns the Clickbank account ‘promotraf’.