Look Google, No Links – Or a Recipe for a Major Disaster

I know quite a few people who read this blog are involved in gambling, either as operators or as affiliates. So here’s a question: name the largest gambling affiliate site as of today?

Good try everyone. Now the surprising bit. Whoever named anything other than “verified casinos dot com” is wrong. But how come you say, it’s not even ranking anywhere in any meaningful gambling SERPs, not even for the longest of the long tails?

Indeed it doesn’t, and never seems to have been:

Screen Shot 2014-09-10 at 16.12.18 Screen Shot 2014-09-10 at 16.12.05

Neither does it have a lot of links in comparison to any other spam effort in the gambling vertical:

Then why does it matter at all, you may ask me and why even talk about it?

Thing is, last night I got a heads up about this thread at the GPWA forum alerting the gambling community about a hacker going loose on millions a large number of domains, hacking them and basically placing his landing pages targeting any imaginable gambling keyword out there.

 

8.5 million results just for one query – impressive or what?

Now, while hacking sites for the sake of creating parasites is nothing new (sadly), what does seem noteworthy about this specific case is not only the sheer volume (the OP claims millions of domains, it’s not really millions of domains as there will likely be multiple URLs off the same hacked domains ranking for different queries or even multiple times for the same query – but that’s beside the point, the volume is still greater than I have ever seen before). Several other things also stand out:

  • This is the highest quality, most technically advanced and most authentic looking landing page I have ever seen existing as a parasite – so the conversion rates will probably be quite high for these pages once they rank and get traffic;
  • This is the kind of spam that cannot be detected by any existing link tools – infact what MajesticSEO does detect for this particular domain is a small portion of redirects from the parasites to the “parent” domain where the hacker sends the traffic to further send it to the affiliate programs:

It’s a setup that’s quite difficult for the affiliate programs to identify as hacking, even if they wanted to take measures. Technically, this is how it’s all set up: click any link on the parasite page and you’ll be sent to a corresponding page on verifiedcasinos.com from where you will be redirected to the actual casino via an affiliate link. But on the parasite page, all you see in the source code is a relative link within the current domain:

If you look at the page head, however, you will see a large script setting verified casinos.com as the base URL via loads of conditional clauses and the like.

We have already seen that these redirects are hardly visible for MajesticSEO, to give you yet another idea of how stealthy this is, neither Google nor NerdyData (a code search engine) return any results for searching for any bit of this code or the code in its entirety (well, Google has never been particularly good for searching for code snippets).

The only clue that identifies the magnitude of the issue is the URL structure – and yes, there are multiple parasite pages on hacked domains:

 

The hacker does not seem to spam links to the hacked pages at the moment – it is difficult to say whether he intended to or he was just hoping for some of these pages to rank on their own due to the domain authority. Hence, identifying a hacked domain by its external links is not viable in this case.

One important point: all hacked sites are using WordPress. I have not checked the version beyond the first few, and I have no idea if WordPress 4.0 takes care of whatever vulnerability the hacker is using as their release page says nothing about security issues, but it might be worth updating to the latest version, as usual in such cases. However, WordPress being one of the most popular platforms on the web, makes it a prime target for hackers and these are just a few vulnerabilities discovered over the last couple months:

If this is any similar to the code inserted by a hacker I have recently been looking into, the code is likely to be inserted into each and every PHP file on the server so when fixing the damage on a hacked domain, each and every file should be cleaned, and because of different random variables and other elements in the code it might not be able to find it all by a simple search. Anyway, if you need help cleaning up your domain or suspect you might have been hacked and want to check it for sure, feel free to get in touch.

As to the original poster’s complaints to Google and the domain registrar, they would hardly have any effect because, as shown above, nothing malicious is actually happening on the hacker’s own domain. Even if Google were concerned with the issue and wanted to do something about it, what can they really do? set up a team of researchers to go after every single hacked domain and remove the hacked pages from the index? I highly doubt they will ever do anything of the sort. None of the recent updates (I’m talking about the last 2 years) has addressed the issue of sites getting hacked, but each and every one of them has been pushing certain individuals in the direction of hacking sites and getting traffic via parasites.

Google has started the war on links, and this is the result it brought about: something much worse than spammy links. This is worse than blackhat SEO, this is actually a criminal activity, hacking into the property of others and modifying their sites without their knowledge and consent. Google wanted to police the links, now who will police this? Apparently not Google.

  • This is mind boggling in terms of the potential for this type of hack.

  • Nick Garner

    well discovered and researched irish

  • Bertje

    Quick check on “?p=online-casinos” query now only delivers 300k results for me. Seems action is being taken, probably by G. (Normally site owners don’t know how to clean up that fast, or even realize that their site’s been hacked in the first place) It’s an impressive hack though. As usual, the hacker got greedy and that’s what outed him/her. Could have been so much more profitable if kept below the radar…

    • Agreed re: site owners and the hacker getting greedy. Just checked again and seems like that must have been a temporary glitch – 11 million results for “?p=online-casino” and still 8,220,000 for “?p=online-casinos”. This post has been on Hacker News (https://news.ycombinator.com/item?id=8299461 ) so hopefully it gained it enough exposure for some action to be taken on Google’s part – however it seems that fixing this issue is not so easy.

      • Checked again now and both queries indeed have respectively around 400k and 300k results now – so hopefully Google are indeed sorting the problem out

  • Two points.

    First, the numbers returned by Google as “hit counts” are imaginary, non-existent counts of fluffy invisible things in the air. If Google tells you there are “2,000,000 results” for a query what it’s really saying is “the system has no idea of how many hits were found, so here is a number”. This problem has been confirmed by numerous Googlers for years and they have never indicated any intention on Google’s part to fix it.

    Second, they HAVE gone after some widespread hacks in the past two years. They have a dedicated sub-team that just deals with hacking. Whether they are dealing with this issue is anyone’s guess.

    Still, it’s an interesting case study. Kudos to you for bringing this problem to people’s attention.

    Upgrading to WordPress 4.0, btw, will NOT fix a hack-friendly vulnerability, although replacing all the PHP files with new code should take care of the symptom. But many people have reported plugin failures over the past week after upgrading to WordPress 4.0.

    It would be better for people to take measures to prevent their sites from being hacked.

    • Thanks for stopping by Michael. I am fully aware of the result count being a very rough approximation – often it gets to where you see one number on page 1 of the results and another on the next page. This, however, does seem to be one of the biggest issues ever with hacked parasite pages.

      As for the vulnerabilities, I would not be surprised at all if this has something to do with any of the plugins used by those sites and not the actual WP – see the screenshot of current vulnerabilities in the post above and take your pick which one is to blame for this particular case.

      It is however up to the site owners to take care of their own security, as always. Now if we could only educate the general public enough about security audits being a worthwhile investment!

      • It may be a big issue, I don’t doubt that, but people need to stop quoting those imaginary numbers in their case studies. It devalues the case studies and only serves to perpetuate the myth of the “number of results”.

        Website security is indeed an arms race that calls for a lot of continual work. That is what makes it cost-prohibitive. And I have looked at some of the security plugins available for WordPress. ICK. I can’t imagine what inexperienced users do with those things but it can’t be good.

        I shared your article on a gambling forum. Ironically, I was contacted yesterday by someone offering links on 350 gambling sites (for a non-gambling site). I have no idea of whether that was your guy or not.

      • Guest

        As of today, I HAVE the guy. All of his details, and, confirmed by a third party who knows him.

      • Erik van der Geest

        Hi,could you tell me his details also? he hacked 30+ websites of mine

  • antihacker

    Hello, Thank you for the attention. I’ve been fighting this person for weeks, please have a look at the thread I’ve created: http://www.gpwa.org/forum/urgent-all-affiliate-programs-ban-verifiedcasinos-com-serious-hacking-proof-219035

    I’ve also repeatedly reported this to Google, hosting companies, domain registrars etc. So far, not ONE result nor response.

    I am very pleased to read your post. The more attention it can get, the more chances there are that my efforts will pay off.

    Please be aware that this is a hacker who promotes gambling sites, yet, not all affiliates are like him. This person is rotten.

    We have reported him to affiliate programs etc, to get him banned, so far, most programs have not taken action.

    Please visit the above link and read more about my findings, and those of my colleague affiliates. We are fed up and want him gone.

    Thank you very much.

    Antihacker

  • Guest

    Hi,
    I have all his personal details. Skype name, address, phone number, photo, the lot. Expect him to go down soon. How soon? As soon as law enforcement takes him down.
    Thanks

    • Erik van der Geest

      Hi,could you tell me what his details and name are? he hacked over 30 sites of me

  • antihacker

    Hi, I am the OP of that thread. As from today: I’ve got all the hacker’s personal details. Let’s see how he deals with what’s coming to him. In costa rica (where he lives), up to 6 years in jail for all of this.

    Thank you for your time and effort posting about this, I appreciate it.

    PS: And yeah, perhaps not millions, but a whole load. Too many. As a matter of fact, there are new ones ‘being born’ as we speak. Check the Google search tools, select last 24 hours, and you’ll see. Again, thanks for the attention.

    • Erik van der Geest

      Hello,can you tell me who this guy is ? he hacked over 30 websites of me and love to know who he is.
      And why dont you publish his details online for all to see?

  • Jonathan
  • Jonathan

    Very curious how much money this guy is pulling in. $1 million? $10 million? more? less? What is your guess?

  • Guest

    Is this the same outfit? Seen a few like this popping up recently: whc2014(dot)org(dot)uk/casino/ call themselves luckycasinoslist(dot)com

    • Thank you so much for spotting that, I know the people who run the WHC… it’s a charity. I’ll let them know.

      • If they need help cleaning it up please tell them to feel free to contact me

      • They have a number of sites on different domains, and might well be looking for someone to provide a web security check across them to ensure none of the other sites suffer similar.

    • same people or not but seems like same principle