1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hidden links that work - New(?) exploit

Discussion in 'Black Hat SEO' started by Philippines, Apr 2, 2013.

  1. Philippines

    Philippines Newbie

    Joined:
    Apr 16, 2012
    Messages:
    21
    Likes Received:
    5
    Hi all, I just wanted to bring some awareness to a new method of "building" links that works. I believe the hack is IIS based, but I'm not 100% sure. Perhaps someone here knows the hack and can elaborate further. When looking at the ahrefs backlink profile of a spammer, an interesting thing showed. Most every backlink is "hidden" text that appears to be inserted on victim websites.

    Looking at the links for golds2you, we can see that one of the backlinks is this:

    view-source: hxxp: rpaulsingh .com

    Inside the source, and like most every other backlink to this site, there are inserted backlinks to their linkwheel, using various combinations of anchor text to try and appear natural. I still don't understand why google is rewarding these unnatural hidden links, but it works. Here is what is in the source (urls changed obviously)

    <div id="urlss-20130306-15">
    <strong>
    <a ferh="hzzt:/zzz.zxzxzxz.co.uk/" title="world of warcraft gold">world of warcraft gold</a>
    <a ferh="hzzt:/zzz.zxzzzzxz.com/" title="cheapest wow gold">cheapest wow gold</a>
    <a ferh="hzzt:/zzz.zxzzzxz.ca/" title="buy wow gold">buy wow gold</a>
    <a ferh="hzzt:/zzz.zxzxzxzxz.com/" title="wow gold cheap">wow gold cheap</a>
    <a ferh="hzzt:/zzz.zxzxzxzzx.com/" title="wow pl">wow pl</a>
    <a ferh="hzzt:/zzz.zxzxzxzxz.co.uk/" title="cheap wow gold">cheap wow gold</a>
    <a ferh="hzzt:/zzz.zxzxzxz.com/" title="wow gold for sale">wow gold for sale</a>
    <a ferh="hzzt:/zzz.zxzxzxz.com/" title="wow gold">wow gold</a>
    <a ferh="hzzt:/zzz.zxzxzzxz.com/" title="cheap clarisonic">cheap clarisonic</a>
    <a ferh="hzzt:/zzz.zxzxzxz.com/" title="final fantasy xi gil">final fantasy xi gil</a>
    <a ferh="hzzt:/zzz.zxzxzxzxz.net/" title="dr dre headphones">dr dre headphones</a>
    <a ferh="hzzt:/zzz.zxzxzxzzx.com/" title="clarisonic online">clarisonic online</a>
    <a ferh="hzzt:/zzz.zxzxzxzx.com/" title="clarisonic uk">clarisonic uk</a>
    <a ferh="hzzt:/zzz.zxzxzxz.com/" title="wow items">wow items</a>
    <a ferh="hzzt:/zzz.zxzxzxz.com/" title="sell ffxi gil">sell ffxi gil</a>
    </strong></div>
    <script>document.getElementById("urlss-20130306-15").style.display="none"</script>



    I am not here to tell you what or how these people are building links this way, because I don't know myself, but it is working. I know because when you check the SERPS for these keywords, these sites are ranking.Perhaps this info will be useful to someone out there until goog fixes this, and this trick has been working for over 6 months...
     
  2. dennis727

    dennis727 Power Member

    Joined:
    Mar 29, 2012
    Messages:
    511
    Likes Received:
    190
    Not really a "new" technique. (some) People have been using this method for quite sometime. SAPE and the likes.
     
    • Thanks Thanks x 2
  3. Philippines

    Philippines Newbie

    Joined:
    Apr 16, 2012
    Messages:
    21
    Likes Received:
    5
    Agreed with you it is not new, but I don't think it is widely used. I don't see it very often, and I check a lot of backink profiles on ahrefs when looking to identify new potential link locations. I have known about it for at least 6 months, but figured it would be penalized by goog, and it still isn't.

    This is an IIS exploit?
     
  4. youtalkmedia

    youtalkmedia Senior Member

    Joined:
    Dec 5, 2011
    Messages:
    830
    Likes Received:
    375
    Occupation:
    Web Developer
    Location:
    Toronto
    Home Page:
    I had heard that putting style display none was penalized, but with the code I saw there, it only is hidden if javascript is run. I am almost 100% sure google does not run any script when it lands on a page, so that may actually work...
     
  5. walkman

    walkman Newbie

    Joined:
    Feb 18, 2013
    Messages:
    41
    Likes Received:
    2
    Home Page:
    Oh, I have seen a lot of it, mainly a bunch links from .gov.xx, .edu.xx website

    And do you know what? Even if you report it to the big G which may or may not take actions in months, those guys just 301 redirect the penalized domain to a new domain, and OMG, still good money flow in.

    Just my personal experience. I even know how much those gov and edu links cost and where to buy.
     
  6. rossegpz

    rossegpz Junior Member Premium Member

    Joined:
    Nov 14, 2012
    Messages:
    101
    Likes Received:
    31
    Home Page:
    Currently, some big keywords are most dominated by hackers such as payday loans.
     
    • Thanks Thanks x 1
  7. mrblackjack

    mrblackjack Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 6, 2011
    Messages:
    960
    Likes Received:
    552
    Occupation:
    I live alone, I work alone, I make money alone
    Location:
    G00gle LaNd
    It's really old news method to build links. Hackers usesql injections to do that, but if u wanna mass links, the trick is:
    1. Find a wp-theme or customize one (works with a plugin too)
    2. Within the theme source files (no matter which), u can call your remote server lets say using cURL or file_get_content
    3. with request to the exploited site (that used your theme), your server can return hidden html with links
    4. Obviously u need to encrypt the functions that call your remote server, to prevent users from deleting them or find about them
    5. Once you have set up an exploited wp-theme or pluging, u can publish it for free download at forums etc. whoever install it, can be remotely controlled.

    There is a blackhat platform that does all the above, and is being selled at imglory and probably here too.

    Now, consider you have come up with a really good theme and distribute it, the more people install it, the more website u can control for backlinks.

    Very simple
     
    • Thanks Thanks x 3
  8. no4h~

    no4h~ Regular Member

    Joined:
    Apr 11, 2011
    Messages:
    456
    Likes Received:
    330
    this is about as new as display: none.

    (... Just kidding.)

    This isn't something new. Google can detect this.
     
  9. bashx

    bashx Jr. VIP Jr. VIP

    Joined:
    May 2, 2012
    Messages:
    173
    Likes Received:
    69
    Hidden div tags have been around for a long time....
     
  10. Philippines

    Philippines Newbie

    Joined:
    Apr 16, 2012
    Messages:
    21
    Likes Received:
    5
    I was talking about the kind of exploit being possibly new, not the use of hidden links. Sorry for the confusion. I was thinking this is an IIS based exploit, and was looking for more info if someone knows how these links were hacked?As for google detecting this, I'm sure they do detect it everytime googlebot scrapes the code, but in this case, even when detected, it is not being penalized. I imagine it will be fixed one day, but for now and the last ~6 months or so, it is working like a charm.Before I was seeing hidden or off-page, 1x1px marquees inserted everywhere, maybe a joomla hack. Those worked before but I don't think so anymore.
     
  11. jerra

    jerra Regular Member

    Joined:
    Sep 18, 2008
    Messages:
    476
    Likes Received:
    64
    Home Page:
    For those of us that are not coders, could you give us an example of how this code would look like?

    thank you
     
  12. ComputerEngineer

    ComputerEngineer Senior Member

    Joined:
    Apr 25, 2012
    Messages:
    833
    Likes Received:
    70
    those are hacked backlinks
    stupid google still cannot understand as those sites ranking very well
     
  13. jerra

    jerra Regular Member

    Joined:
    Sep 18, 2008
    Messages:
    476
    Likes Received:
    64
    Home Page:
    Oh

    having read the thread I thought this method was working?
     
  14. JustUs

    JustUs Power Member

    Joined:
    May 6, 2012
    Messages:
    609
    Likes Received:
    452
    Here is the problem with that:

    Code:
    ### Prevent wget, curl, and email harvesting
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*(libwww|libwww-perl|curl|wget|python|nikto|scan).* [NC]
    RewriteRule ^(.*)$ - [F,L]
    ### END Prevent wget, curl, and email harvesting
     
    • Thanks Thanks x 1
    Last edited: May 30, 2013
  15. jascoken

    jascoken Senior Member

    Joined:
    Nov 1, 2010
    Messages:
    1,135
    Likes Received:
    751
    Gender:
    Male
    Occupation:
    IT/Web Systems & Development...
    Location:
    Sussex:UK
    Yes, it works, if only for a short space of time on clusters of sites that are constantly being replaced and updated. This is serious BH stuff and any kind of forced injection of code can render you liable for legal action, so you've got to be fully 'geared up' for this kind of work and spending a lot of money.

    Has been around for many years in different forms. Only the methods of 'injection' change.
     
  16. googlemonster

    googlemonster Supreme Member

    Joined:
    Nov 15, 2008
    Messages:
    1,400
    Likes Received:
    525
    sounds a good idea with the control element, f google lets smash it to pieces
     
    • Thanks Thanks x 1
  17. alias4

    alias4 BANNED BANNED

    Joined:
    Nov 23, 2012
    Messages:
    20
    Likes Received:
    1
    you can buy these backlinks at www dot alivv dot com but you need a chinese bank account
     
  18. stugz

    stugz Junior Member

    Joined:
    Apr 14, 2013
    Messages:
    154
    Likes Received:
    33
    You can change the useragent of curl.
     
  19. CyHead

    CyHead Regular Member

    Joined:
    Apr 6, 2009
    Messages:
    219
    Likes Received:
    65
    Occupation:
    Student
    Location:
    Fiji
    Home Page:
    Kinda neat - Google does penalize links that have a class or id or inline styling where the links are being hidden or visibility is disabled. I've tested this out a year ago and noticed a direct correlation between hidden links and Google's indexing of pages (e.g., a page that was being indexed every 2 weeks, suddenly dropped to an average of every 2 months after having hidden links in a div). The neat part of this is that they're showing the links by default, but hiding it with javascript. But, I'm sure Google will catch on to it - unless they cloaked the javascript file which would be a good twist.
     
  20. alias4

    alias4 BANNED BANNED

    Joined:
    Nov 23, 2012
    Messages:
    20
    Likes Received:
    1
    you all think too much. nobody hacks anything. no one codes anything. these links come straight off alivv dot com - but as i said you can only pay with a chinese bank account