By: Julien Sobrier

Who Else Is Benefiting From The Spam SEO?

Compromise

Blackhat SEO spam is used mainly to redirect users to pages serving malware, often disguised as an antivirus. However, other players are using the same Blackhat spam SEO techniques (they use hijacked sites) more and more to increase traffic to their site.


Fake search engines

These sites look like a search engine. But all links are actually paid advertising. To trick the advertising networks, the user is redirected to different IP addresses when he clicks on these links, so that the advertising networks see a small amount of traffic coming from multiple addresses instead of massive amounts of traffic coming from one location.

I've described how these fake search engines work in detail in the post about Mother's day scam.

p3p0.com fake search engine
These fake search engines include xaras.net, p3p0.com, yeasbear.com, xsearcher.net, smartbuzz.biz (currently blocked by Google Safe Browsing), etc.


Download sites

In the past few months, I've seen more and more hijacked pages redirecting users to (illegal) download sites. These sites make money by selling subscriptions to users.

Site claims to have deadliest catch.rar available for download...
They redirect users to a page that claims the file they are looking for is available for download. The file name is obtained by appending .rar to the search term. In the screenshot above, a search for "deadliest catch" on Google lead to sapm page redirecting to http://express-downloads.com/download.php?file=deadliest%20catch.rar where the the file deadliest catch.rar is available for download.


but the user must sign up first ...
But the user needs to be "to be logged in to download" the file. After entering his e-mail address and a password, he must also make a payment to access this file.

and pay to access a file which does not exist!
Of course, the file does not exist. You can change the file name to any string, the site always claims the corresponding file is available: http://express-downloads.com/download.php?file=[string].rar

Most of these sites have very similar domain names: fast-downloads.biz, turbo-speed-downloads.com, express-downloads.com, thedownloadfiles.com, etc.



Conclusion

There are more and more shady sites using Blackhat SEO in order to make money. And there is no shortage of vulnerable Wordpress installations to take advantage of. This type of spam will very likely exist for a long time.

Botnets are already available for rent, I think it won't take long before hijacked sites are up for rent to increase traffic to shady websites.

-- Julien

Learn more about Zscaler.