Custom, High-volume Subdomain Names as an SEO Tactic

May 21, 2012 - By Chris Larsen

 

There is a sort of constant evolutionary pressure on the gray and black hat world of shady SEO (search engine optimization), as the major search engines detect the sneaky tactics and erect barriers to their success. Last week I came across an interesting "survival mechanism" being used with some success by one gray hat SEO gang. (BTW, big thanks to Dr. Jon, for yet another cool tool that slices and dices our log data in amazing ways!)

 

The URLs that caught my attention, in Jon's "these guys are probably up to something!" log, looked like this:

 

how-to-quote-a-poem.bestonline1.com

girl-scouts-coloring-pages.bestonline1.com

copper-king-lodge-red-river-nm.bestonline1.com

...

(You get the idea.)

 

 

Well, it's immediately obvious that they're doing some sort of SEO. And the idea of appearing to have an entire subdomain devoted to a particular search topic is a clever one -- it should certainly help them look highly relevant and valuable to a search engine. Since it's a tactic I haven't seen before, it's worth a closer look...

 

 

First, here is what one of the actual link-farm pages looks like:

 

screenshot of sample link-farm page

 

 

Yikes, that's ugly! (But that's fine for them, since this is only for consumption by the search engine "crawler" when it indexes the page, not for actual human visitors to see.)

 

They're poking random "captchas" into their text, most likely to help their page look good to the crawler. (Maybe especially if these are uniquely generated captchas, not stolen from somewhere else, since that makes the page look like it has a lot of original content?)

 

 

The next interesting aspect is where they're doing their link-spamming (i.e., letting the search engines know about these wonderful pages that need to be indexed!)

 

As it turns out, after a little bit of searching of my own, they're using Facebook, with lots of posts like this:

 

screenshot of sample facebook spam-post

 

 

If you have a enough bogus Facebook "users" who "like" a post, that will certainly get the attention of the search engines, right? Hey, this must be a popular topic!

 

 

The third interesting observation comes from the WebPulse traffic logs. When I look at the referrer data for traffic to this site (and others in the same SEO network), I see only Bing and Yahoo, not Google. So, in the case of this particular brand of gray hat SEO, the  G-men are doing a better job than their rival at recognizing the garbage and keeping it out of their search result pages.

 

After some poking around, I didn't find any obvious evidence that this SEO is poisonous in nature, at least to end-users: no malware, or fake-AV scan pages, or the like, showed up, either in the logs or via direct experimentation. Interestingly, this network does tie into a pay-per-click ad network, and that network was involved in the "Flashback" Mac botnet, which was primarily attempting to do click-fraud as its money-making angle. However, the PPC network was a vehicle in that attack, not a perpetrator.

 

In any case, this link-farm network is definitely shady.

 

--C.L.

 

@bc_malware_guy