Home Code Snippets Oracle Reference Oracle Functions Oracle Error Codes Forum Oracle Jobs Oracle Blogs

The Largest Link-Hack In History

No matter what your web site does or what it's about, it's the target of spammers, and by extension, the target of hackers. Spammers want to fill your site with links to their spammy products (pills, software, etc). Since any reputable site owner isn't going to willingly install spam links, the way to do this with the least amount of fuss (for them) is to hack your site and insert their links and/or content. Often it's done in such a way that it's practically impossible to tell that your site has been hacked. Which brings us to the Great Link Hack Of 2010, which may very well be the largest, most successful link hacking campaign ever conducted. The worst part is that most of the site owners who are hosting the links don't even know they're "participating".

If you search Google for the phrase "buy-phentermine- 37.5mg-without-prescription" you'll get almost 50 million hits, and nearly every single one will lead you (eventually) to a site where you can (surprise!) buy various pills, one of which is phentermine. Thet target domain changes occasionally, but it's almost certainly owned and operated by the same spam group (the "target" domain is shifted around as needed to help conceal it and avoid being blocked).

Many of the links on the hacked sites are hidden with CSS, using styling like "display:none" (which suppresses it from appearing in the browser) or positioning like "position:absolute;left:-1000px;", which has the effect of forcing the link completely off the browser screen to the left.

This link-hack is interesting because it's a two-stage hack; many of the links exist solely to inflate the rank in search engines, while the rest are intended to funnel you towards the final target site. Often the links will point in a "cascade" fashion to the next higher group of hacked sites, which in turn point to their upper-level list of hacked sites, and so on, until you finally come to the final target site.

The linking is done is a multi-tiered way, and many of the sites will abruptly redirect to a different site at the same level (presumably to help make it harder to track the overall structure of the links and sites). Many of the sites go a step further and redirect only when the hacked site is viewed when the visitor goes to the infected website via a Google Images frame. That's right, they check the HTTP Referer and if you're coming from Google you then you get different content than if you go to the site directly. This is done to make it harder for the site owner to find the infected page on their site.

Want to see if your site is infected? The easy way to do it is to do a Google search like this one:

phentermine your-site-name.com

(Replace "your-site-name.com" with your domain, of course.) If you see pages listed that are on your site, you may be infected and have hidden content being served up to your visitors. In some cases the hackers/spammers also take the opportunity to serve malware to your visitors, trying to infect their PCs through a variety of browser exploits. The reasoning is that as long as you're there, why not try to turn your PC into a zombie for use in their botnet? It's kind of like a bonus for them.

The scope of this link hack is impressive, and it clearly wasn't done overnight. This hack has been going on for months if not years, and with almost 50 million links in place it's probably the single most successful link hack to date. One thing I can say for sure is that it won't be the last.

This entry was posted in General and tagged , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

One Trackback

  1. By Large-Scale Attack On GoDaddy Wordpress Blogs on June 11, 2010 at 7:02 pm

    [...] hit a large number of GoDaddy-hosted WordPress blogs this weekend on April 24th. As with the "Largest Link-Hack In History" exploit, it  only triggers when the traffic is referred by Google, making it the sort of [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Spam Protection by WP-SpamFree