With the help of Google, it easy to find a list of these hidden folders. Look for ""index of .files/" and one example of a file listed in the blog post, for example "2009 pro bowl.html": "index of .files/" 2009 pro bowl.html. Now you have access to hundred of pages set up by attackers. This is a very valuable source of information to understand how attackers are using SEO, and which domains names are involved in the attack.
All the pages have the same structure, but are actually quite different from the SEO spam pages I saw before:
- each page targets a particular search (for example, 2010 Winter Olympics), as usual
- the page alternates one paragraph of text, and one link (unusual, there are usually very few links)
- each link text has nothing to do with the content of the page (unusual)
- each link points to a different domain: fng-international.com, achaemprego.projects.heavyworks.ne, aceuplink.net, etc.
The links redirects to different types of sites: fake antivirus pages, fake search engines to scam advertising networks, etc. Some of the links do not redirect all users to malicious sites, but only those who come from a Google/Yahoo/Bing search.
The list of file names also shows which topics are targeted by the attacker: pretty much anything! Winter Olympics, the latest Google phones, celebrities, Apple news, how to write a sonnet (!), home sales, etc.
From these files, we gathered 27,453 unique URLs from 96 different domains. This will keep me busy for a while :-)