Hackers Forcing Sites to Cloak Search Engines with Link Spam

  • 2.1K
Everett Sizemore
Everett Sizemore
Hackers Forcing Sites to Cloak Search Engines with Link Spam

David Jones from PR Works is probably wondering why he gets no love from Google. Maybe he even did a site: search on the Big G and discovered that his site has been banned. If so, he’s probably wondering why.

I don’t know Mr. Jones. He seems like a nice enough guy with some smart things to say about PR in Canada. I hope he finds this article and sorts out this rather nasty situation he has. If not, at least we can use it as a learning tool later on in this article.

Let’s pretend I do SEO for Twitter and am trying to talk management into letting me nofollow the profile links. Management says “NO, we’ve checked hundreds of profile links and none of them were spammy” so I do what any logical SEO would do and perform a linkfromdomain search on MSN so I can prove that, indeed, there are over 2,000 links FROM Twitter pointing TO pages about Viagra.

Viagra Links

But then management comes back to me and says that the information is wrong.

They checked the results and didn’t see anything about Viagra those pages.

I then do the next logical thing, which would be looking in the source code for hidden text, such as off-page positioning with CSS, hidden divs, or the classic white text on a white background trick. Perhaps I find my proof: . Poor Matt Selznick. Maybe his site got hacked months ago and he still doesn’t know about it. Either way, someone is doing the dirty on Mr. Selznick.

hacked viagra links

But let’s say you check the source code and DON’T find anything about Viagra. What next? Go back to that MSN search. Now click on the result that says You know, the one with the description that has Viagra in bold a half-dozen times. View source. Search for Viagra. Don’t see anything?

Ahh, now we’re getting somewhere. Maybe this is where Mr. Jones stopped when trying to find out why he was banned on Google. He should have kept going…

What do you think is going on here?

If you said “cloaking” give yourself a pat on the back. How do you know this? Simply click on the “Cached page” link in that search result and view the source code there.

Although you won’t see the text on the page, you can clearly see in the source of the cached result that MSN has indexed a whole slew of invisible Viagra links.

HAcked and CLoaked Viagra Links

If you’re name is David Jones and you are reading this, congratulations – now you know why your site is banned on Google. Get rid of the offending links and cloaking, update your wordpress to the current version, use best-practices to protect your WP installation, verify your site in Google Webmaster Tools – if you haven’t already – and apply for a reinclusion request. Let them know what has happened and how you’ve fixed it.

What if the page doesn’t have a cached link in the search results? In that case, check your source code on the actual site. Do you have a nochache meta tag? If so, take it off. If not, maybe the cloaked version of the page does. In fact, I’d say that it is very likely.

OK, so you don’t own a site like Twitter and you don’t have any social media profiles from which people can link. Well neither did poor old Mr. Jones or Mr. Selznick. But maybe you were paying attention to your Adsense box and noticed that Viagra or Porn ads keep showing up. Or maybe you were paying attention to your Analytics and noticed some referrals for searches on ‘swollen erect nipples’.

Either way, you can learn three very important lessons here:

  1. Always be on the lookout for something fishy. As SEO gets more competitive, these tactics will be used for more than just Viagra. A strange search result; an odd referral keyword; off-topic adsense ads; being banned… these are all things that may tip you off.
  2. Even if you trust the sites that you are linking to; can you trust that they haven’t been hacked? Better safe than sorry… check first.
  3. WordPress is one of the best things that has happened to the internet since Google, IMHO, but it is also vulnerable to attack if you do not protect yourself by keeping the version up to date, locking your wp-admin directory, and renaming wp-login.php, wp-comments-post.php and wp-trackback.php.

Just to drive that last point home, remember those spammy viagra links that were cloaked and hidden on PR Works? They all go to WordPress include files on a .edu domain.

Everett Sizemore works for several large ecommerce and community sites, and runs a few donzen of his own websites on the side. He prefers not to share his domains with the public, but hopes the information above has been helpful. Everett on Twitter: .