Impressive Search Engine Optimization

Synopsis: The first reports of the Samoan earthquake hit my inbox on Sep 29th at about 4pm EST. By about 7pm EST, the next day, we started noticing hits on rogue spyware from google queries. When we looked, we found they had five or six of the top ten results on the Google search results page, well above even places like CNN and The Guardian on queries like “Samoan Tsunami”. In other words, in not much more than 24 hours, they raised the profile of minor sites that they’d hacked to be higher than established, legitimate sites. That’s _really impressive_ SEO. Google removes them from their indexes as soon as they notice, but these do this every time there’s a big news event. I’ve p*ssed off Facebook this week, so I might as well poke at Google. :o)

Hi folks,

One of the constantly reoccurring themes for luring victims to a rogue antispy is where the DataSnatchers pick on a big news story, and hang the rogue off it.

What they do is this. Typically, they find some innocent, but poorly defended website, and upload lots of things about the particular news story. This is what the googlebot sees…(click to enlarge)

But if you visit the site with a google referrer, in other words, just as a user might do having done a Google search on the Samoan Tsunami, you are redirected to a page just like this …

Attentive readers of this blog will recognize that type of screen, and will know that the familiar fake scan follows immediately, whether you say ok _or_ cancel, but here’s the interesting bit… If you look at the first page of search results from Google, you see this screen…. (I’ve obscured some of the urls both to protect the innocent and the unwary… remember, most of these websites are hacked, but otherwise innocent), and it turns out that five of the top ten are hacked!!! _Five_ of the top _ten_!

The _really_ impressive bit is that the first news reports of the tsunami hit my inbox at about 4pm EST on the 29th, and we started noticing the Google hits by about 7pm on the 30th! Just a little over 24 hours later!!

Not only five of the top ten, but they got above The Guardian, at number 20…

And even above none-other than CNN, at about number 35!!!

Saying that another way, they were able to drive nothing-level websites higher than both The Guardian and CNN in less than 24 hours from a flat start!!!

Not only that, but they do it two or three times a week… every time there’s a big news event, these guys take advantage of it. That’s really impressive! These guys are _good_.

Now, to their credit, Google removes these guys from their indexes as soon as they find them, but they’re back somewhere else within a day or two. This is why blacklisting is an exercise in futility…everything moves around too fast. The only way to approach it is via real-time code analysis, like LinkScanner does.

And this is just one gang/ group selling rogue antispy, and there are _lots_ of gangs, each with a different m.o. It’s no wonder that rogues are by far the most common thing that we see every day, from all over.

It’s a wonderful and entertaining web out there… but deadly dangerous!

Keep safe folks,

Roger

Share | |

Meet Roger Thompson: Do's and Dont's of IM and Chat

Roger Thompson talks about what to do and what NOT to do when using Instant Messaging software and Chat in order to avoid being snatched. Data Snatchers hide everywhere, to steal your personal information: credit card details, private files & your identity. Antivirus Software and Firewall are no longer enough to protect you.

Comments

You can follow this conversation by subscribing to the comment feed for this post.

Fantastic informaton hub for sure. I've been researching and working on this topic for a long time now. This helps fabulously. Thanks!

Posted by: jacob | November 07, 2009 at 09:46 PM

Verify your Comment

Previewing your Comment

Posted by: |

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:

Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.