First of 2 parts
MANILA, Philippines – What if someone asks you to pay US$36 ($2,058)* to remove unwanted backlinks from their website to yours that you didn’t ask to begin with?
To the average internet user, the idea of getting paid to remove bad backlinks may seem absurd. In the wicked world of black hat SEO operators, however, it makes perfect sense because there is a market that can be exploited. Moreover, it is a potentially lucrative business.
In late July 2022, we discovered that Rappler, ABS-CBN, Philstar, and others were being heavily spammed by thousands of dubious websites that an SEO monitoring tool described as “networks of ‘link potentials’. This made stories from these sites less visible in search results.
While linking to websites in general is beneficial, having numerous backlinks from toxic and spammy sites is a completely different story. Search engine giant Google, which uses backlinks as one of several signals to determine the relevance and importance of specific online content, has been fighting manipulative link building schemes for years.
Very recently, a Google search expert already confirmed that in cases where there is a clear pattern of spammy and manipulative links by the site, its search algorithm may simply decide to distrust the entire site.
If left unchecked, these spam backlinks could reduce traffic to the affected sites, something news websites that rely on traffic from search results cannot afford to ignore. Rappler discovered the problem after noticing a sharp drop in traffic from its search results in July.
A negative SEO extortion scheme
To tackle the spam attacks, we teamed up with Swedish digital forensics group Qurium Media, who we had previously worked with when Rappler and other Philippine newsgroups faced Distributed Denial of Service (DDoS) attacks before the May 2022 election. (Qurium research may be found here)
We analyzed backlink data on Rappler and other news sites, gathered more information and identified patterns that could lead us to potential culprits. Our deep dive brought attention to the online extortion scheme of a Swedish black hat SEO operator.
The black hat operator charges $3 (P171.55) per month or $36 (P2,057) per year for each link a user adds to their site. Expensive, right? But it’s not that expensive when you compare it to the price of removing unwanted backlinks – a whopping $36.
If you factor in these prices and factor in the number of backlinks going to the three Philippine news websites, the potential windfall could range from hundreds of thousands of dollars to over a million dollars.
This assumes that the victim news websites here can afford this high price.
The monitoring tool flagged tens of thousands of websites linking to Rappler and other news sites with markers that indicate they are part of “potential link networks” — these have the same IP address, URL path, page titles, root subdomains, Google Analytics and/or Adsense identifiers. Thousands were also flagged as mirror pages, meaning websites that mimic others within the network.
Identification of spammers
The tool did not give us specific identifying information. So we collected additional data to see if there really are links between the websites. This included historical domain registration information, IP addresses, as well as identifiers such as Adsense and Analytics identifiers.
An IP address stands for “Internet Protocol Address,” a series of numbers that identifies any device, such as the hardware that hosts a website, on a network. Human users now often use domains or URLs (such as www.rappler.com) to access websites because it’s easier for us to remember strings of text than a series of numbers. But IP addresses are still used for computer-to-computer communications over the Internet, as well as on other networks.
Although not always the case, websites that share the same IP address could be managed or owned by the same group.
The other data points we collected are trackers that can be found in the code of websites. For example, the Google Adsense tracking code can be found on sites that use Google’s web monetization service to enable display advertising. On the other hand, the Google Analytics code allows website administrators and owners to track website traffic.
Finding similar tracking codes on a group of websites usually indicates that they have the same website administrators or owners. To get the tracking codes, we had to remove them from the code of the websites that the SEO tracking tool was flagging.
Combined, the above information could help identify groups of sites that could potentially have the same owners or administrators. The network graph below visualizes these clusters. (Due to the amount of data being represented, the full view may take a minute or 2 to load.)
Some of the big clusters on the network map are sites and apps built using services like Blogspot, Firebase, Netlify, Typepad, Weebly, Appspot, Booklikes. These sites are hosted on the same service, which means they have the same IP address.
Because they are free services or have free tiers, these services are often exploited by black hats link building schemes.
However, just being hosted on these sites does not necessarily make the sites suspect. What they do have are other indicators: many of them are hotlinking or directly embedding images or assets from news websites, abusive behavior. Many also use content that is copied from other sites or is clearly used by automated content generation tools.
Unfortunately, like Facebook and other social media accounts, it is very difficult to trace the actual ownership of these sites. What is worthwhile, however, are websites within these large clusters that are linked to other clusters with traceable identifiers.
Following a black hat
The next cluster that stood out was a group of sites that shared this same title: “The Globe – The world’s most visited web pages”. The cluster was of particular interest because, among the flagged websites, the tool rated these sites as highly toxicor probably part of link building schemes.
The search monitoring tool revealed hundreds of similarly designed websites with the same browser title. These websites not only targeted Rappler, but also the websites of ABS-CBN News and Philstar.
UNDESIRABLE LINKS. Websites linked to The Globe have largely been backlinks to Philippine news websites ABS-CBN News, Philstar and Rappler
Random checks of the websites in this cluster showed that the sites were almost uniform in appearance and content, consisting of a logo with the image of the world and a call to visitors to add their web pages and products on The Globe website. Apart from this, websites usually include a long list of links to various websites.
Further checks showed that most of these sites linked or redirected to the website
MIRILL PLACES. Screenshots of some of The Globe’s websites hosted at the IP address (78.69.18.135).
Working with Qurium Media, Rappler discovered that this group of sites didn’t just share the same titles or themes. More than a hundred sites with these traits, which connected to Rappler, shared the same IP address (78.69.18.135), meaning they were hosted on the same device.
How does a network of websites with very little informational value to end users and no visible advertising benefit from repeatedly linking to other websites?
This is where the backlink extortion scheme comes into play. If you go to the / site, you will find a hyperlink with this text: “lagg till lankar” (Swedish for “add links”). Clicking on this link will take you to a web page that charges $3 per month or $36 per year for each link added to the site.
BACKLINK PAYMENT SERVICE. The Globe charges client websites $3 for each backlink from its site.
In total, more than 500 websites, including hundreds of sites that spammed Rappler, ABS-CBN and Philstar are hosted on this IP address.
Some of the domains on these sites were registered privately, meaning the person or entity that registered the domain was removed from the records.
However, at least one site had a publicly visible registrant as of December 2021: a person named Richard Genmar whose address is in the city of Stockholm, Sweden. The domain is the-search-engine(dot)net, a website targeting both Rappler and Philstar.
As of April 2022, the registration record for this website has been removed from the domain registration records. But it’s very likely that the owner and the nature of the website haven’t changed because a snapshot we found of the site on the Wayback Machine showed that the website looks the same in December 2021 as it does now.
We searched for more background information about Richard Genmar online. His name, Jan Richard Genmar, also appears as the owner of the mark, “the balloon”, the logo that appears on websites hosted at the IP address: 78.69.18.135.
In a government list for companies operating in the UK, Genmar’s name also appears as a director of The Globe, Int. LTD. The UK government record says it is Swedish, but this could not be independently verified. The website itself has a disclaimer that says: “Companies House does not verify the accuracy of the information presented.”
We investigated the IP address 78.69.18.135 and found that this device is located within the server infrastructure of Telia Company AB, a Swedish multinational telecommunications company and mobile network operator present in Sweden, Finland, Norway, Denmark, Lithuania , Latvia and Estonia.
This specific IP address had previously been reported for abuse in relation to web spam. – with Bingbong Recto and Ogoy San Juan/Rappler.com
(To conclude. Part 2 addresses the business side of a negative SEO operation and how it works. It also explores options for affected site owners.)
*Conversion rate: $1 = P57.18
[ad_2]
Source link
