For nearly 7 years (of my 19 year SEO career) I did “forensic SEO”. From dealing with penalties, hacked sites to general traffic loss, sorting out why things are going wrong was my life. Over that time I’ve seen a lot of nasty hacks and negative SEO attacks. Recently, I was inadvertently dragged back in with a new client we took on.
Almost by accident we came across an apparent ‘hacking for links’ attack. And this was not your run of the mill approach.
For the uninitiated, the baddies essentially are hacking into the site to add links to various nefarious sites that they want to rank for. It’s usually in one of the markets we lovingly call; the 4 Ps – Pills, Porn, Poker, Payday. We first noticed it when pharma keywords started showing up in Google Search Console, a clear sign that Google had discovered it and was indexing it, and a site: search confirmed it.
It was admirably one of the more inventive things I’d seen, and well beyond the scope of what an average SEO or site owner would be able to find on their site if they were hit. So, I’ve decided to write about it as a warning for others.
Setting the table
To begin with, they need to gain access to the site. What happens all too often is a breakdown in developer to client communication and pure laziness. Here’s the scenario;
- WP install doesn’t do what the client wants out of the box
- Plugins are used, but also don’t quite work as needed out of the box
- Developer customizes said plugin, doesn’t explain the risk
- When WP updates, the plugins update, dev doesn’t bother to update because of customizations
Therein lays the problem. The developers, seeking to please their client, mess with a plugin and then either leave, or don’t want to tell the client it’s going to cost more each time WP and the plugin need updating. The site is now vulnerable. A similar scenario happens when a site owner fails to keep plugins up to date or they are using older plugins that haven’t been updated in years – just because it is the most “recent” version doesn’t mean it can’t be (or isn’t already) exploited.
To make this hack, and similar ones, even more nefarious, the hackers disabled WordPress’ ability to check and alert the site owner that plugins were out of date, as well as WordPress itself. For all intents and purposes, everything looked fine in the admin backend of WordPress with everything fully up to date, even though it wasn’t.
To be honest? We either educate the client on the ongoing cost associated with updating a customized plugin or we just write our own custom plugin. The latter is safer, as the baddies can’t get a copy of it to reverse engineer.
This is often how these types of situations start.
Anatomy of the hack
In this instance, the nefarious code that was used had been hidden within various PNG and GIF image files. And yes, that’s ‘a thing’. They were spread out over some 22 directories on the server and seemingly innocuous.
In simpler attacks we tend to look for odd named files, entries in the htaccess, php.ini and other common elements. I’ve added some reading at the end to get more familiar with the myriad of ways that are used these days.
These folks were sneaky.
What they were doing is feeding Google pages complete with (spun) content and of course links. At the time we were brought in they were Viagra/Cialis, but through looking at the server log files we identified that they’d used it for various porn terms in the past.
Continue reading the full article at http://www.thesempost.com/hackers-hiding-content-links-png-files/
Originally posted by
Latest posts by Vu Nguyen (see all)
- How Hackers are Hiding Content & Links via PNG Files - January 31, 2018