Ok boys and #girlsofpubcon here’s the session you’ve been waiting for. Black Hat Tactics and and Preventative Measures with Ziv Dascalu – and if you don’t get here in the next minute or so you won’t have a seat.
Ziv just asked me if he could borrow my laptop for a minute, but there’s no way I was going to fall for that! It’s a good reminder to make sure you’re not storing your WMT password or letting others access it.
Disclaimer: He’s not going to talk about cloaking, or doorway pages, or any of that stuff. This should be interesting.
Ziv works at Wiseimpact – which he describes as “Consulting when SH*T Happens”
Let’s talk about competitive industries. (Gambling, pharmacy, poker, payday loans, insurance) – these guys are different types of animals. There’s no rules in these industries and it’s a war. They’re willing to do whatever it takes to rank.
In war, people play dirty – and that’s what we’re going to focus on here. Let’s play the bad guy. (Note: He doesn’t want to teach us how to play the bad guy, but sometimes you have to understand what the bad guy will do)
Sometimes the best method to move up is to “eliminate” the sites above you. When things go wrong, knowing what to check is crucial. You can’t solve a problem unless you know what the problem is.
So how can competitors eliminate you from the SERPS?
Disclaimer: Don’t use these techniques.
(Ziv just took off his suit and put on a black ski cap)
If you can’t remove the site from serps, take out the website. If you can’t take out the website, take out the ISP.
Links -> incoming -> old
Here’s some methods.
Send link target change requests and ask that they change to your site.
If that doesn’t work, send complaints about linking accountability. Say “Hey, you’re linking to this bad site and you’re legally responsible if you don’t take down your link in fancy legalese.” You’d be surprised how many links get taken down.
If that doesn’t work, try a trademark threat. If that doesn’t, try faking a notice from Google. These are awesome methods because not only do they remove all links to your site, but Google and @mattcutts can’t trace it if your enemy does it right.
Links -> incoming -> new ones
Now that you’ve removed their good links, it’s time to create some new ones to take their place. Look for link networks and farms, banned and hacked sites, fake profiles with spam words, blog/chat/twitter spam, and even paid link requests sent to Google employees.
I’m starting to wonder how many of those paid link requests sent to Matt, Amit, etc actually are spoofed emails from black hats.
Here’s a tip of my own: If you want Google to think the spammy links you’re making really came from that publisher, put their adsense code on those spammy sites you create to link to them.
next up, adding new outgoing links to your target site (Again, this is what your enemies do, NOT what you should do)
XSS, Hacking, Widget & code injection, and links in comments or other areas. 3rd party widgets are ripe for code injection – if those widgets aren’t putting their own links on your page to begin with.
Side note, you’d be shocked how many prominent SEOs have out.php or go/to/url type affiliate url hiding things that you can manipulate 🙂
Next, manipulate their content.
use parameters to create duplicate content issues and get them all indexed. (good thing we just covered how to fix those duplicate content issues
Is their forum un-moderated? Take the time to post some “educational” content there. Same goes for posts, comments, testimonials, etc. If you have any of that stuff you NEED to moderate it. You also need to look for 1 pixel fonts, DHTML tricks, and cloaking if you allow users to post HTML or script.
Now let’s go sitewide.
Can you edit their robots.txt due to improper server permissions? Can you add in a noindex,nofollow tag? XSS is always a favorite tool.
Remember: your Black hat may use your WHOIS info on the spam domains he buys to send spammy links to your site.
Can you get access to their webmaster tools through social engineering? Is your company smart enough not to give it out? (a few months ago you could get it with just some simple HTML but sadly that bug is closed now)
DMCA & TM takedown emails work great. (my note: the upcoming e-parasite act will make this technique a LOT easier)
Do you own your brandname.net, .org, etc? If not, somebody could be spamming with them – with YOUR whois information attached.
Influence search engine suggestions. (I’ve done this and it works nicely! It’s really easy to do too, think Turk or your own 3rd party widget)
Proxy sites can be another huge source of duplicate content.
Google just announced freshness, that can be abused. If you push enough results to RSS sites with enough frequency, you can outrank a site where QDF.
If you’re not on Google maps, somebody else might tell Google where you’re located – and it might be somewhere in Africa.
Black Hat PPC
If you’ve got a daily budget, somebody with a click bot might help you spend it up at early hours of the night.
They may also use your adsense code elsewhere or your adwords advertiser ID on some shady sites to create more impressions for you but no conversions.
Ziv is now talking about retargeting – Remember our earlier post on retargetting? Guess what? There’s a way you can use those pixels to retarget visitors to your competitors sites.
People can be hired to tell on link buying.
People can post about how a site tricked Google and got away with it. Remember, you don’t report it, 5,000 mechanical turk users in India report it for you.
People can report you for spyware injection.
Sending cloaked and fake queries can cause analytics people to spend days pulling out their hair. So can botnet traffic trends.
When all else fails, they can hack
302 hijacks still work.
Cross domain canonization
Cloaked 301 redirects
Fake Credit card sales can make you lose your merchant account.
Hire your competitor’s SEO staff. Or if you can’t, distribute their resume so somebody else hire’s them.
Or, just get your own person hired inside.
Denial of Service (DDOS)
I’ve actually had this done to me once by a competitor. Luckily they targeted my site at the domain level not the IP so I simply forwarded the DDOS to one of MY competitors – but these can be very harmful! You can detect the domain level, but not the IP (as easily) and it can hurt other sites on your server. (another note, I also lost a site once when then FBI took the shared server box due to a complaint about another site hosted on it. Also a good tactic!)
And that’s it. It’s time for the Q&A.
A great question: How can you counter a DDOS?
A: Load balancing, or what I just described above: temporarily move the URL if they’re targeting it. If they’re targeting the IP, you can switch your IP. If the attack is coming from Russia (it probably is,) you can use IP geotargeting to not serve your site to Russia.
Q: Is your job at wiseimpact to find people doing this to you and then take them out?
A: No (smile, wink) we implement preventative measures. (Side note: I think it would have been awesome if he showed how to prevent all of these issues.) Ziv: Sometimes, the best solution is to find out who’s doing it and just send a person over there….
And that’s it. I’m off to #epicdinner with @AlanBleiweiss. If you’re on the list come say hi. It should be, well, epic.