For nearly 7 years (of my 19 year SEO career) I did “forensic SEO”. From dealing with penalties, hacked sites to general traffic loss, sorting out why things are going wrong was my life. Over that time I’ve seen a lot of nasty hacks and negative SEO attacks. Recently, I was inadvertently dragged back in with a new client we took on.
Almost by accident we came across an apparent ‘hacking for links’ attack. And this was not your run of the mill approach.
For the uninitiated, the baddies essentially are hacking into the site to add links to various nefarious sites that they want to rank for. It’s usually in one of the markets we lovingly call; the 4 Ps – Pills, Porn, Poker, Payday. We first noticed it when pharma keywords started showing up in Google Search Console, a clear sign that Google had discovered it and was indexing it, and a site: search confirmed it.
It was admirably one of the more inventive things I’d seen, and well beyond the scope of what an average SEO or site owner would be able to find on their site if they were hit. So, I’ve decided to write about it as a warning for others.
Setting the table
To begin with, they need to gain access to the site. What happens all too often is a breakdown in developer to client communication and pure laziness. Here’s the scenario;
- WP install doesn’t do what the client wants out of the box
- Plugins are used, but also don’t quite work as needed out of the box
- Developer customizes said plugin, doesn’t explain the risk
- When WP updates, the plugins update, dev doesn’t bother to update because of customizations
Therein lays the problem. The developers, seeking to please their client, mess with a plugin and then either leave, or don’t want to tell the client it’s going to cost more each time WP and the plugin need updating. The site is now vulnerable. A similar scenario happens when a site owner fails to keep plugins up to date or they are using older plugins that haven’t been updated in years – just because it is the most “recent” version doesn’t mean it can’t be (or isn’t already) exploited.
To make this hack, and similar ones, even more nefarious, the hackers disabled WordPress’ ability to check and alert the site owner that plugins were out of date, as well as WordPress itself. For all intents and purposes, everything looked fine in the admin backend of WordPress with everything fully up to date, even though it wasn’t.
To be honest? We either educate the client on the ongoing cost associated with updating a customized plugin or we just write our own custom plugin. The latter is safer, as the baddies can’t get a copy of it to reverse engineer.
This is often how these types of situations start.
Anatomy of the hack
In this instance, the nefarious code that was used had been hidden within various PNG and GIF image files. And yes, that’s ‘a thing’. They were spread out over some 22 directories on the server and seemingly innocuous.
In simpler attacks we tend to look for odd named files, entries in the htaccess, php.ini and other common elements. I’ve added some reading at the end to get more familiar with the myriad of ways that are used these days.
These folks were sneaky.
What they were doing is feeding Google pages complete with (spun) content and of course links. At the time we were brought in they were Viagra/Cialis, but through looking at the server log files we identified that they’d used it for various porn terms in the past.
Of course, if you or I went to the page, we’d see nothing as it did a loop and 302 redirected back to the home page. In order to see the hacked pages, you needed to spoof a Google referrer. Something not uncommon in the past with sites that are hit with malware.
The fun part is the pages in question don’t show up anywhere in the WordPress back end. They don’t show up in the WordPress database, so for anyone looking for them, they’re invisible. Interestingly, they did mess with a redirect plugin that we didn’t even find until we went to the server control panel and clicked “show hidden files”.
Nasty little hack
In all my years of doing forensic work, this is one of the best/sneakiest ‘hack for links’ that I’ve seen. There were a few hints along the way (load times, robots.txt was empty) but nothing along the usual lines as far as red flags.
As I mentioned earlier, we ultimately found it in some PNG files spread across some 22 directories. They originally got access via a WordPress plugin that wasn’t updated. Essentially, they used a sort of ‘black hat CDN‘ on their servers that would feed Google entire pages, but those pages never showed up on the site because they were on the baddies server. The load time was because it would send normal users to their site and back to the home page, but their hacked page never loaded.
Interestingly, Google didn’t even catch on and flag the site as being hacked in the search results, although the pages were indexed… and the injected content and links were there since Aug 2016. I will be sending Google the case study once I am done, so this is worth knowing about.
This is a GREAT case for setting up bi-monthly tracking in Google Search Console and Google Analytics. Often I feel some clients think my monitoring is just a cash grab.. but if it wasn’t for this, I’d have never caught a sniff of the hack. It was a new client, I was doing my initial run when I came across it… thus it was in place since 2016. Now, one can also think that “Google didn’t catch it, so they weren’t penalized” but hey, they’re bound to eventually, it’s not worth the risk. Funny enough, the client’s rankings/traffic was growing the entire time, and they were never penalized.
Thus we can assume Google never caught it and that it wasn’t a neg-SEO attack per se. It was a hack-for-links. However, hackers could use this same method for a targeted negative SEO attack and it could be done on any site, even those not using WordPress.
Some reading to learn more about this type of attack utilizing PNGs;
https://blog.sucuri.net/2014/02/new-iframe-injections-leverage-png-image-metadata.html
https://stackoverflow.com/questions/32802514/code-injection-in-png-file
https://phocean.net/2013/09/29/file-upload-vulnerabilities-appending-php-code-to-an-image.html
https://security.stackexchange.com/questions/111935/exploiting-a-php-server-with-a-jpg-file-upload
https://aw-snap.info/articles/spam-hack-wordpress.php
Lastly, we also found a hidden plugin (files couldn’t be seen on server) – to find it we went to the hosting control panel and clicked “show hidden files” and we then found a legit plugin called; Simple 301 – prior to that the nasty hacked pages in question were doing a 301 – 302 – 200. They are now sending the proper 404.
David Harry
Latest posts by David Harry (see all)
- How Hackers are Hiding Content & Links via PNG Files - January 25, 2018
- Getting Your Head Around Google’s RankBrain - March 28, 2016
blair says
Wonderful article. I knew in the past of people doing things in less sneaky approach where you go into a site which allows you to do upload photos or images in that area it’s possible to sneak in backlink back to another website some of the time.
Stefanos says
You reminded me my case when I had to fix a website I was participating in as a volunteer.
The website was constantly hacked and all three of us, the web team, couldn’t find the actual source of the problem.
After a thorough investigation, my exhausted fingers mistyped Ctrl-4 instead of Ctrl-R for refresh on my File Manager (PCManFM) and saw something suspicious.
My .ico file which should have been only a couple of hundreds of bytes had the size of 14kb!
I said “wait a minute…what?!” and I immediately opened it with an editor; boom, I found it!
It was a file that looked like a standard .ico image, but they managed to fool the server somehow and they had somewhere inside the database a hidden module that would extract the entire PHP code that was embedded inside the aforementioned file and spread all over the place like cancer.
I did my best, but for some reason it would come back.
After a couple of months, we learned by the hosting company that their entire server was affected and had to move us on a newer one.
It was the most intense investigation I ever did in my 18 years of personal experience with computers.
Quinton says
Is this the same Simple 301 Redirect plugin that Sucuri reported on?
Karl Hindle says
Good catch!
All this was sparked off by pharma keywords – was there any “level” or perecentage that moved this from anomaly to somethign worth investigating, or was it “this is odd let’s look at it” from the start?
Thanks for this – good stuff!