In the world of SEO, there are a number of threats to be aware of as you grow. There are all the missteps you can make to get on the bad side of the search engines. There are all of the ways you can be undercut or damaged by SEO practitioners using bad techniques. There are ways competitors and malicious users can target your business with detrimental SEO effects. Then there are the more insidious threats, like SEO poisoning.
SEO poisoning is a complex attack used by black hat hackers and malware servers. It works in several steps, starting with the Google search results and ending with an infected user.
1. The attack begins with a black hat hacker creating a website targeting a popular keyword. Holidays tend to have holiday keywords involved, for example. The hacker will use many black hat techniques, including link pyramids and private blog networks to rank their gateway site. This site looks almost legitimate to the untrained eye, which is the target of the attack.
2. A user is attracted to the high-ranking website result and clicks on the link to the page. Scripts kick into action and determine whether the user is a search crawler bot or a real person. Search bots are directed one way, real users are directed another.
3. Real users are then redirected through several layers, typically to other compromised websites. These sites poke at the user’s Internet security, looking for holes they can use to serve up a virus or malware program. Each step of the way, the user is under attack, while it looks like a page is loading.
4. If a vulnerability is found, the user is infected with malicious code, one of many viruses or malware apps that can steal personal information, hostage an ransom data or simply damage a computer.
Why is this an issue for webmasters? The problem is that first step. Sometimes, the hacker doesn’t want to take the time to rank a site of their own, either through a lack of time or resources. Instead of ranking their own site, they choose to infect yours. This is an ever-increasing threat; black hat hackers are having a harder and harder time ranking their own sites. It’s conversely growing easier and easier for them to compromise existing sites, particular mid-range sites with little emphasis on security but a reasonably high ranking.
As a webmaster, you may be the victim of SEO poisoning. It’s hard to tell when you may be compromised, due to the nature of the attacks. Typically, your first warning sign will be when your search ranking begins to drop, particularly for keywords you historically perform well in. You visit your site, but you see nothing out of the ordinary. Yet Google informs you that your site has been compromised. What’s going on?
What’s happening, typically, is that the hacker has compromised your site. Rather than steal data and leave, they install malicious code. This code does a few things. It serves up a different version of your page to users than it does to the search engines. This makes the search engines wary and starts to derank you. For users, it begins to implement traffic redirects. These redirects start the chain listed above, forcing users to go through as series of scareware portals and redirects through exploit downloads, prodding at their security and attempting to infect them with viruses.
One way you can test is to use Google’s “fetch as Googlebot” feature. This will load your site as though you are the Googlebot user agent, which should trigger scripts designed to present a different version of your site to Google. If your site looks different or behaves differently, you may be infected.
Once you have discovered your site’s infection, you can take steps to clean it out. You will need to follow Google’s infection recovery guide, as well as any other specific guides you can find. Essentially, any file on your server that hosts a script or a webpage may be filled with malicious code. You will need to uncover and fix those files. In some cases, you can clean out a few files and restore the functionality of your site. In other cases, you may need to wipe your site and restore a backup.
One example is the header.php file found in many software installations. This can be edited by a hacker to include scripts to redirect search bots and users in different directions.
Cleaning out the infection is worth a post of its own, though Google has covered it well enough under their recovery from malicious infection answers. From there, you need to protect yourself against a returning hacker.
The hacker was able to get into your site somehow. The question is, how? They either compromised your user information or they made use of an exploit in your site. If you’re using WordPress and have old, out of date plugins, that can be one vector for attack. If you have an unsecure login – such as using a default name and password – you’re at risk. Any piece of infrastructure, on your site or on your server, can be a vector for infection if it’s out of date. Always apply security patches whenever they appear.
Education is the best option. Inform your users of the compromise to your site and educate them of the threats. Tell them that if they were redirected away from your site, they may need to scan their computer for signs of a virus or malware infection. Encourage them to update their virus protection.