A Year Later, Clearly “Blackhat SEO” is still Working

Black Hat SEO

In-brief: Akamai lead researcher Or Katz shares longitudinal data showing that blackhat SEO campaigns designed to improve the ranking of web sites that collect cheating and marital infidelity stories have worked.

A year ago Akamai’s Threat Research Team exposed a “Blackhat Search Engine Optimization (SEO)” attack campaign. The goal of the campaign was to manipulate search engines rankings and grow visibility for a web site that allows users to share their cheating and infidelity stories.

The attack method used SQL injection to inject HTML links to as many web sites as possible across the Internet. By doing so, the attackers created a nest of links referring to the promoted Web site. The expected result? The injected links would eventually lead to growth in the site’s ranking, driving traffic, and increasing awareness in search engines.

Or Katz, Akamai
Katz is a principal security researcher for Akamai’s Cloud Security Intelligence platform.

The success of SEO ranking manipulation is a product of time and referral links. In order to determine whether such “blackhat SEO” manipulation was successful, we measured the promoted web site ranking in the past year to see whether the Blackhat SEO “worked.” In this post, we’re presenting our results:

How to Measure Success?

The ultimate goal of any SEO campaign is to get as much visibility as possibility for the promoted web site. In order to evaluate such visibility, we used the following measurements:

  • We referenced the presence of the promoted web site in primary search results pages using the leading search engines and searching for related keywords and terms.
  • We tracked Web site ranking over time with the Alexa Internet analytics tool which measures how a web site is performing relative to all other sites in the Internet.

Search Engines Results

Search engines can be considered the “front page” of the Internet. Web sites that appear in that “front page” have a huge amount of visibility and can yield significant revenue. For example, simply imagine the impact on the revenue of an e-commerce site selling shoes that appears in the primary search results page when users search for the term “buy shoes.”

In the case of the “cheating” Web site, when we searched for several related keywords and terms in leading search engines, we were able to see that in many cases the “cheating” web site appeared in the primary search results page, meaning the blackhat SEO goal was achieved. More over, according to Alexa Internet analytics tool more than 33% of visits to the “cheating” site came from search engines.

Internet analytics tools

Another good way to measure web site ranking is by using Internet analytics tools that measure how a Web site is doing relative to all other sites on the web over the past three months. In most cases, such ranking is calculated by combining the estimated average of daily unique visitors and estimated number of page views.

We monitored the ranking of the “cheating” web site using Alexa’s analytics tool during the past year. It’s ranking increased dramatically over the year, from being ~4 million in the world in July 2015 to being ~400,000 in the world in July 2016.

Alexa’s Ranking increase over time . (Image courtesy of Akamai.)
Alexa’s Ranking increase over time . (Image courtesy of Akamai.)

More important, judging from what we can observe, the ranking of these sites is still improving.

Looking for the Smoking Gun

In order to estimate the role the “Blackhat SEO” attack is taking in the growth of the “cheating” web site ranking, we analyzed some of the referring links that appear in the Alexa analytics tool. Essentially, we were looking for “attack fingerprints” that would help us point out from where the growth was coming.

According to Alexa, we can see that there are 369 sites that link to the “cheating” web site. Reviewing a sample of those pages reveals some interesting insights:

Odd referrals

One of the referring links is a page located on US state government official web site, the link is not active any longer which indicates that it was Intentionally removed.

Tip #1 – When you can see incompatibility between web sites and referring links, such as between an official US government web site and web site that share users’ cheating and infidelity stories, it may indicate the existence of suspicious referring activity.

Hidden or untrustworthy referrals

Another referring web site was a Chinese travel blogs platform. When we looked into the referring page, we weren’t able to see the referring link to the “cheating” web site. However, by viewing the page’s HTML source code we can see that it exists:

Injected HTML source code. (Image courtesy of Akamai).
Injected HTML source code. (Image courtesy of Akamai).

Injecting a hidden referring link is a good way to make your injection undetected while still being effective when search engines scan the injected page and determine web sites ranking. Moreover, the page also contains other hidden links to controversial web sites promoting “Viagra” and abortions pills.

Tip #2 – When you can see page content offering “Viagra” coupons, you can make a solid assumption that something is not right with that page.

Suspicious referral context

Another referring Web site features content related to sports news and streaming sporting events. Again we can see hidden links to various promotion campaigns and incompatibility between referring web sites.

Tip #3 – If you can see many links across the Internet that include problematic referring context joined with other referral links to controversial web sites, there is a good chance it’s the result of a “blackhat SEO” campaign.


While it is certainly possible that part of the growth of the “cheating” web site ranking in the past year is the result of legitimate web site promotion, the existence of many maliciously injected links across the Internet leaves little doubt. The outstanding growth in the web site ranking is the result of ”Blackhat SEO” activity.

Most of the defaced Web sites are small/medium web sites that lack robust security controls and maintenance. Therefore, injected links are likely to stay undetected and referring traffic. We believe that long-lasting referring links contributed to the persistent growth in the “cheating” web site’s ranking.

Another reason why this campaign succeeded may be related to the promoted web sites’ line of business. Promoting legitimate businesses using “blackhat SEO” may result in business competitors pulling the plug of their rivals’ “blackhat SEO” campaigns. But, when promoting controversial products or services, the chances are low that competitors will speak out.

Getting into the leading search engines’ primary results page is a significant milestone for any SEO campaign. That achievement typically increases traffic from legitimate users, increases web site ranking and may result in financial benefits such as increased revenue or valuation. And while we don’t know who specifically is behind this “blackhat SEO” campaign we do know the outcome, which in and of itself is disturbing. Unfortunately, “blackhat SEO” is working!

Spread the word!

Comments are closed.