Hackers stealing your PageRank

Posted on 7 December 2008 at 23:44 UTC, filed under Hack, disclaimer

The last time I wrote about a hacked site, it was using a redirect that sent some users to a different site. This kind of hack is pretty common (even though it’s usually not as complex as mentioned in that post), it leverages the sad fact that users are often easy to trick and not browsing with protection (or a current browser).

A different angle of attack is to redirect only search engine crawlers to a different site. By doing this, they can make it look like the pages of a website moved to a new domain name. In general, when search engines find redirects like that, they will more or less pass the “value” that a page had on to the new URL — that generally also applies to PageRank. So in a sense, they are trying to steal the value that a webmaster has built up over time.

In this particular case, a “massive amount” of sites were hacked and likely redirected through suomi.co.in.

The webmaster generally doesn’t notice this kind of hack because there’s nothing that would alert him to a problem. Only search engine crawlers would get redirected, normal users (including the webmaster) would see the page normally.

The first symptom that you would see is hard to interpret: URLs from the website are just not indexed anymore. URLs not being indexed is something that could happen because of any number of reasons, so how do we find out more?

One of the first things I like to do in a case like this is to access the site with a search engine crawler’s user agent. This gives you a rough look at how the website reacts to a search engine crawler (although it’s not complete, it’s often pretty close). There are two relatively easy ways to do this:

  1. Use an online tool such as Web-Sniffer. It’s pretty easy to use and is somewhat close to an actual crawler.
  2. Use FireFox with the User Agent Switcher plugin. If you use this plugin, you’ll have to add the user agent yourself. I usually use the current Googlebot user agent string:

    Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

    Note: if you use Firefox for this, make sure that your Firefox installation is up to date and locked down properly in case you run into a site serving malware like this. Sometimes it even makes sense to use a virtual machine for this.

  3. (I wish there were a half-“li” :) ) There’s also “wget”, which is easy for those of you who prefer use console tools. I usually use the above user agent string with wget.

If you access the site using one of these tools, you’ll often be able to spot these redirects (or other issues that a site might be having with regards to being accessed by search engine crawlers). It’s rare that someone uses cloaking by IP address for things like this. In a recent thread in the Webmaster Help forums, “webado” spotted the redirect using Web-Sniffer.

In this particular case, the URL was redirected to http://suomi.co.in/ , from where it was redirected to a page that they wanted to promote with the original site’s “value”. I’ve seen the same kind of redirect going through http://ahtung.co.in/.

The webmaster responded with a note from his hoster in the thread:

Note from my host server (support @ hostgator.com)
I have removed the file “.htaccess” from the directory /home/aceuropa which was causing the redirect. The logs show a massive amount of .htaccess files being edited over the last couple of days. I would highly suggest changing your password to something more secure. Please let us know if you have any further questions or concerns.

(It’s great to see a hoster act so quickly!)

There’s another way to spot this kind of hack with Google Webmaster Tools: When you submit a Sitemap file, Google will show warnings for URLs that redirect. By design, you should be listing the final URL in your Sitemap file, so if the URL is redirecting for our crawlers (as in this case), we’ll show a warning in your account.

There are 11 trackback pings to this post.
  1. […] Rank Theft JohnMu.com reports how hackers are stealing page rank. It’s common for hackers to redirect users to a […]

  2. […] Head on over and take a look at his article about PageRank. Like this article? Receive free updates from Google Inside via RSS. Tags:John Mueller, pagerank […]

  3. […] sehr aktuelles Hacking-Thema hat der Schweizer Analyst John Müller vor einigen Tagen hingewiesen: Page-Rank-Diebstahl. Der Trick ist so einfach wie perfide: Hacker verschaffen sich über einen der zahllosen bekannten […]

  4. […] Hackers stealing your PageRank […]

  5. […] Wie Hacker Dir den Pagerank stehlen – von Googler JohnMu […]

  6. […] Make it look like the pages of a website moved to a new domain name. In this case, search engines will more or less pass the “value” of a page on to the new URL. […]

  7. […] Перевод статьи Hackers stealing your PageRank […]

  8. […] this was a common hack and it is not unknown.  I found a couple of interesting articles on it here and […]

  9. […] urge you to read JohnMu’s entire article. He’s offering a lot of help […]

  10. […] 以上两端代码都会导致将google爬虫的请求重定向到ahtung.co.in。删除前面两端代码,google爬虫的请求就会正常了。(至于,为什么有人会转发google爬虫的请求?参考这里) […]

  11. […] by John Mueller which talks about getting your pagerank jacked from you! The post is titled, “Hackers stealing your PageRank,” and its something we should be concerned with and at least check…NOW! I never gave […]

There are 35 comments to this post.
  1. Who knew hackers would start targeting search engine bots?

    Here we are in 2008 (on the verge of 2009) and search engines are becoming more and more important to everyday business. It makes me wonder if businesses will start hiring “hackers” to help with SEO and SEM efforts?

  2. Ah, that’s just plain nasty. :(

    I’ve had .htaccess hacks where all traffic was redirected, and even just search engine referrer traffic. At least I was able to spot those quickly because of the effect on the site so it was visibly hacked.

    Those hidden link hacks – and now a hack just targeting crawlers, are a particularly vicious and nasty peice of work – thanks for the heads up, John, especially for the fix on how to spot more easily.

  3. This is scary, thanks very much for the warning and useful information.

  4. Thank You john for such great info. I always am scared about this hacking stuff and recently one of my site’s PR dropped. I have asked for help in the new google forum. I hope someone will take a look at my site. I am just worried if my site is hacked too?

    i tried to find out via seeing source code and I see nothing.

  5. That is truly scary. I haven’t witnessed such an attack personally but at least now I’ll know to be aware of them.

  6. Sites were hacked. That’s it

  7. Yeah it’s interesting stuff, and the first I’ve heard about it too so thanks for enlightening me about this potential risk

    Although, my security to any of my sites would still be just as stringent

  8. This is the first time I’ve heard of hackers doing this sort of thing, what scares me the most is that this could be happening to your site and you would be unaware of it. Nice tip about using Google webmaster tools sitemap to identify potential problems.

  9. this information useful for every one. Be careful …Hack is not dead.

  10. Great info!!! Now I understand what was going on in some cases. Good, great job and really thanks for this great info

  11. In case the redirect is really tricky and IP based (instead of user agent) you can try and use some of Googles Tools (like the translation) to view the page through a Google IP.

  12. Thanks for the useful information and tips… Yep, quite frankly, it’s getting scary out there! It was great to have met you at the SMX London last November. Hope you have a excellent year 2009!!!!

  13. Excellent blog and article John, thanks!

  14. John,

    Great post and thanks for bringing it to the attention of the masses. Is this something that you see often or is it few are far between?

  15. Hi John,

    Great post!

    I’ve recently investigated similar issue with Googlebot redirection to malware sites. Hackers redirected crawlers to “bablo. me. uk”, which in turn redirected to various sites located on the same server. The only thing those sites do is serving trojans.

    While I had doubts that this black hat SEO campaign would work, it appeared that those crappy sites managed to hijack top positions in Google’s search results. See this post of the owner of a hacked site. You can also see a screenshot of Google search results at the bottom of my post (I made it in case search results change by the time you check them).

    I reported those sites to Google both as badware sites and as spam search results. But they are still not listed as “harmful”. Now that I see them on the top position of Google search results, I decided to let you know about the issue. Now they can infect unsuspecting searchers.

    Maybe you can let right people in Google know about the malicious sites that game Googlebot. They are all on the same server (IP: 64 27 5 44) and should be pretty easy to ban/blacklist.

    If you need more information, there is a contact form on my blog. Or twitter me @unmaskparasites

    Thanks

  16. Is that real ? :-() Thanks for warning.

  17. Hi John, I have a question or suggestion for a new blog post. Can you tell me exactly what goes on behind the scene after a reinclude request is submitted. Are they reviewed by humans, etc? I would love to know this. Thanks!

    P.S. How come the spam protection above filled itself in? I didn’t have to do it. Is this a bug?

  18. there is one way to redirect.
    window.location = “http://www.iexplorehere.com”

  19. There seems to be one way of steering clear of problems like this one, that is staying clued up by reading informative bogs like this one, thanks for sharing.

  20. When I deleted the code from htaccess. My entire site went into a 404 error. Cannot access any pages. Something else is going on as well…

  21. Wow, I didn’t realise that hacks like this were being used, very devious. Thanks for opening my eyes and pointing out what to look out for on my own website, some very useful information.

  22. Very good article that once you make it very useful for me. Nice to meet you.

  23. As a relative novice to the internet and still learning the ins and outs of websites i did not realise this was possible so thanks for info and another bit of knowledge added to my head and one that i will definitely remember.

  24. Hiyas

    I have the same problem at site http://www.arizona-bowling.com , but after deleting the code responsible for redirecting in .htaccess file the problem was not solved. Can you help with that?

  25. this is happening a lot to my sites. I really hate it!!! My raking keeps fluctuating and i am sure it is because of hackers doing the same darn thing. It makes me mad because i work hard to keep my sites in tip-top-shape and good rankings. I will be looking deeply into this and make some changes to my sites and the way people interact.

  26. I have this problem for sometime now and my blog http://what-what.net/ gets deindexed every now and bookmarked this,will see if this could be the one of many reasons.
    thnx for your tips

  27. Hmmmmmmm…ya its really a cool stuff and interesting too….and also thanks for telling the potential risk of malware

  28. Hey,
    interesting post, however i was wondering.. what if you DO get hacked and something like this happens to your website?

    i mean: does google detect this and just freeze your pagerank until you have solved this?

    would like to have an awnser on it :)

  29. I didnt know about such type of hacks. Thanks for the information. Rally very thankful to you

  30. Thank you for this useful post. I have bookmarked web sniffer. It is something I will definetly keep a watching eye on. I have heard about banks being targeted but its a needed reminder so that one doesnt get caught out!

  31. I didn’t know they could do that.. that problem explains why mysite dropped like a hot potato

  32. good article.

    but actually this hack is too easy notice.

    more harder to find if they integrate a javascript to your pages that will run when someone opens your site.

  33. Thanks for the insight into this over looked problem. After reading the post i checked my site with the user agent add-on on Firefox and was revealed to know that i am safe yet. i will keep looking into this problem in future also.

  34. Thanks John. Geesh, it’s hard enough for most folks just to get a decent site up, develop good web content, and get it in front of the right audiences. Worrying about hackers, pagerank theives, and the rest is just overwhelming.

    Luckily, we have folks like you holding our hands. Thanks.

  35. Great post John, really useful advice as ever. I was just wondering, are you going to be writing any more posts and updating the blog anytime soon?

Feel free to leave a reply to this posting.

Warning! Your comment will be lost if you mistype the spam-test or forget to enter your name or e-mail-address. Copy your comment to the clipboard to be sure.

You may use these tags within your reply: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>