Black Hat SEO campaign powered by SQL Injection

Wilson Grant Fisk

Executive VIP
Nov 10, 2012
Interesting read on an illegal BlackHat SEO campaign. Remember, don't try this at home ... it is illegal ... you will get f#cked.

Black Hat SEO campaign powered by SQL Injection

Campaign targeted MS-SQL installations to cross-promote a cheater's website

A new threat advisory from Akamai highlights a Black Hat SEO campaign that's leveraging SQL Injection as a means to generate links to website dedicated to stories about cheating.
The shady SEO campaign can be considered a success too, because the domain benefiting from the inbound links is still the top listing for the primary keywords.

The website behind the campaign, or at least the website that has gained the most from it, wasn't listed in the Akamai report. Salted Hash did some digging, and it didn't take long to discover the website in question; storyofcheating[dot]com.

At one point, Akamai says, the Black Hat SEO campaign included more than 3,800 websites and 348 unique IP addresses. Technically, the campaign is more mass defacement than straight-up SEO scam, because the primary focus was SQL Injection.
It's important to note that those responsible for the defacements were not targeting a vulnerability in MS-SQL or IIS. Instead, they were targeting poorly developed applications that rely on Microsoft's platform to function.
As long as the targeted application didn't validate user-supplied input, it could be used to promote the storyofcheating[dot]com website.
Once a vulnerable application was discovered, various content would be added to the database, including all the HTML needed to supply links to storyofcheating[dot]com. The defaced websites would appear normal to those operating it, because the injected content is only visible to search engines.
Most of the added content was junk ? filler text with a handful of related keywords and meaningless sentences ? but there was enough content to create relevancy. According to one internet traffic monitor, storyofcheating[dot]com didn't have a solid SEO presence until late November, when this campaign started. Once it took hold, inbound links to the site (and its ranking on Google) skyrocketed. The numbers dropped off in mid-December, followed by a brief spike, and another sharp drop.
On Monday, a day before the Akamai report was to be released, Salted Hash confirmed that a Google search for "cheat story" still returned the desired result for the SEO campaign, as storyofcheating[dot]com was the top link.
Many of the defaced websites were completely unrelated to the topic of infidelity, including websites dedicated to software development, SharePoint, Foosball, Tennis, political marketing, and more.
As mentioned, the SEO campaign targets MS-SQL. The common theme between the defaced domains is WordPress and BlogEngine.NET. However, the core code on those platforms isn't what's being targeted. It's more likely the campaign hinges on vulnerable themes and add-on scripts.
Most of the defacements centered on theme and template folders, and generated an entire set of pages, including RSS feeds for the added content.
Another common theme among the defaced websites was abortion. Many of the defaced websites would link to storyofcheating[dot]com under the pretext of abortion discussions, including abortion pills and chemical abortions, as well as topical discussions such as teen pregnancy.
The point of Akamai's threat report is that SEO is important to businesses online, and criminals have no problem with taking advantage of existing SEO rankings and reputation to further their schemes.
On the other hand, this type of fraud isn't limited to businesses, as criminals will target personal websites too.
The standard precautions apply; if you deploy a CMS platform, such as WordPress or BlogEngine.NET, make sure that everything from the server software, core platform software, and add-on modules are kept updated. Monitor your website and server for changes, and investigate anything that seems unusual.
Moreover, it's possible to use Google to catch added pages by searching your domain and looking at what's being indexed.
A copy of the Akamai report is available here.


Black Hat SEO Campaign Leverages SQL Injections to Boost Search Rankings

Akamai tracks down culprit, exposes his actions

A new type of black hat SEO campaign has been uncovered in the last few months by Akamai's experts, who have observed that an attacker is using SQL injection flaws to deface websites with hidden content, specifically aimed at improving his website's SEO ranking.
The campaign has targeted around 3,800 different websites, hosted on 348 unique IP addresses, and leverages SQL injection flaws in MS-SQL servers.
Campaign relies on injecting websites with hidden text

According to Akamai, attackers are using the SQL injection flaws to penetrate databases, search for the website's content, and sneakily insert extra content in various pages.
This content is not left in the open, since both users and the site's admins might notice it, but it's hidden with CSS, and only presented to search engine crawlers.
The hidden content contains both keywords and links that help the attacker's own website gain a better position in search engine rankings for various terms related to "cheating and infidelity."
On the opposite side, websites that are defaced in this manner lose their search engine rating, being polluted with unrelated or adult-themed content.
MS-SQL database servers targeted

Akamai reports that the first signs of this campaign were detected last July, and later intensified towards the end of the year. Most targeted websites seem to be written in ASP and running on older versions of IIS, Microsoft's Web server technology, but some PHP-based websites also seemed to have been compromised as well.
Akamai did a poor job of blurring the name of the website that benefited from the black hat SEO campaign, which is storyofcheating[dot]com.
The website has gained such a massive SEO reputation from this campaign that, at the moment of writing this article, after typing "cheating" in Google, the campaign's website comes up in the first five results, right there next to dictionary definitions and Wikipedia pages.
Akamai details the attack in its latest security report.

It's hard getting anymore black hat than this considering it's also black hat hacking. I would so do this if I lived in a third world country where the authorities didn't give a **** haha
These guys are something else. They'll do absolutely anything to rank their content, even tear down well established sites in the wake of their illicit link building exploits.
You've got to be thick as shit to automate a hacking process that points directly to you.
I don't think they are that stupid. They probably use stolen credit cards, which they use to buy bitcoins, laundering them a little and transfer the funds to some country which doesn't care about western authorities.
thx as always share gems at here


And just finished reading, this is not new to me, as a Chinese, I know how many hackers(chinese) there and try to hack others serve or website per minute, yea, no kidding, even im typing now, China is somekind vague in such things, means, even you hack the CCTV, no one care about your shits, no kidding, and i personally know some hackers earn good (2K dollars per month) just sit there and sell their hacking data, serve info, sockets, whatever, i wont judge them, if you believe in karma, there is, if you dont, then totally whole new story

sum up for Chinese hackers

in our mainland: they always try to hack authority sites to place "casino" "games" "others" hidden links, 90% casino.

they hack in English world: " e-commerce" , 90% Chinese guy will choose do e-commerce/dropshipping sites to overboard as we produce cheap gadgets and clothes to shit the world. And I saw many sites hacked and placed Chinese guy e-commerce links, for example, jerseys etc

There is always space for a hacker to live, no doubt about that.

Last edited:
The moral of this thread don't use Microsoft Web Servers easy to use but lot of security weaknesses.Apache on Linux Servers rules.Always test data input validation in web applications to prevent SQL injection attacks.
AdBlock Detected

We get it, advertisements are annoying!

Sure, ad-blocking software does a great job at blocking ads, but it also blocks useful features and essential functions on BlackHatWorld and other forums. These functions are unrelated to ads, such as internal links and images. For the best site experience please disable your AdBlocker.

I've Disabled AdBlock