It appears that a spammer has found out how to infiltrate the Google index without being caught. Here's what is happening in a nutshell:
- Some searches (very specific phrases, and I won't list any of them right now - Google knows which they are) return results with a large number of .cn (Chinese) sites.
- The .cn sites are often scraped content from legitimate U.S. websites
- The legitimate sites are being ranked below the scammed .cn sites for these competitive keywords.
- When a user clicks on one of the .cn sites returned in the result set, the user is redirected to an entirely different page which attempts to install one or more pieces of malware on the user's computer. If the user is not protected, they become infected - I don't know the specifics of the infection as I AM well protected
- The .cn sites don't appear to be hosted ANYWHERE. They are simply redirected domain names. How they got ranked in Google in such a short period of time for fairly competitive keywords is a mystery. Google's index even shows legitimate content for the .cn sites.
- It appears that the faked sites are redirecting the Googlebot to a location where content can be indexed, while at the same time recognizing normal users and redirecting them to a site that includes the malware mentioned earlier. This is an obvious violation of Google's guidelines, but the spammers have found ways to circumvent the rule and hide it from the Googlebot.
- These sites are numbering in the millions for many different keywords and phrases, and appear to be developed on an automated basis. Because of privacy laws, it's hard to track down who owns the domain names - Google has the power to do so, but there has been about exactly zero information from Google about the problem so far, and even many SEO experts and webmasters are not picking up on it.
So what does all this mean? One, don't click on a .cn domain name returned from Google.com. If you need to search for a Chinese site, use Google.cn instead of Google.com. Second is to watch your own SERPs and see if you are suddenly dropping below sites with a .cn TLD. If you find that happening, report it here. Third, don't panic - Google is remaining mum on this for a number of reasons. Were the public to stop trusting Google it could cause major upheavals in the search engine business - if the problem was just spam, the public wouldn't even notice. However, since malware is involved, this is something that could hit the major media with a giant bang and cause a panic. That could affect traffic to some sites in a major way - especially those specifically optimized for the Google search engine.
A Major Infrastructure Problem?
If a smart spammer has really found a way to game the Google search results with spoofed or cloaked sites, and Google still doesn't have a fix, this could be a major issue with the underlying infrastructure of the entire Google operation. I've seen hints that a significant infrastructure change is taking place; is this spam issue the reason? Could that mean that Google was actually hacked instead of someone spamming the index? If so, webmasters may be waiting a long time for the expected Pagerank update while Google fixes the leaks.
Time to Worry?
This is the first time that I've ever been worried that Google's own index has been hacked. The obvious and blatant circumvention of a guideline normally picked up by the Googlebot quickly is worrisome. A normal website pulling this would be banned almost instantly. The fact that none of the sites have real content and don't appear to even be hosted anywhere is even more scary. How did millions of sites get indexed if they don't exist?
Some Guesses
The fact that the SERPs have been so volatile lately shows that the Google algorithm is being updated and tested - often. Coupled with the fact that Google's normal quarterly Toolbar Pagerank update didn't occur at the beginning of August points to the fact that Google is making some major changes. It's not a giant leap of logic to assume that Google may be trying to figure out a way to stop the spamming of it's index, and is looking for some sort of heuristic formula to identify the sites without hurting legitimate U.S. and European websites. The length of time it's taking is scary, but I'd rather they fix the issue than put a band aid on the problem (Microsoft are you paying attention?) hoping it will go away.
If anyone has any other observations on this problem, post them here.
197comments:
Yes the .cn domains appear to be IDN domains, and from what i can gather they are using an advanced cloaking method to "fool" Google in to thinking they have content when they are really not hosted anywhere.
After some redirects the malicious sites attempt to install a Microsoft ActiveX Object and commence a download of a file named "VideoAccessCodecInstall.exe"
However it seems Google is taking action against them althought slowly.
It still raises some concerns this could evolve this far. It has similar characteristics to the recent Google Adwords exploit, where people were crafting Ads to appear to be fom reputable site, only to direct the users clicking the Ads to an alternate site where they attempt to install Malware.
Scary stuff.
Interesting stuff, however I never thought this could happen to Google, but it has.
However with the size of Google and the man power, Google will sort out all of these problems before anything gets really serious.
Life Insurance
I think it would/is easy to send googlebot indexfriendly content while sending regular users arbitrary malcontent. Searchbots identify themselves in thier request headers. The code (in c#) is as simple as the following:
if ( Request.Browser.Crawler ) {
SendIndexableContentToSearchBot();
} else {
SendMalContentToTargetsBrowser();
}
In asp.net 1.1 there's a bug with the Browser.Crawler property -- which can be addressed by modifying one's web.config file -- in the manner outlined here: http://semichaos.com/articles/aspnet1/browserdetection.aspx
I agree with anonymous: the bots are so recognizable, and so much work is done server side now that it seems almost impossible for Google to plug ALL the holes in the system.
It's like the story of the leaking levee. As soon as you poke a finger into one hole to stop the flow, another, larger hole opens.
Hackers are nothing if not persistent.
I wonder what plans google has to combat this issue. There should be antvirus to protect people's website
I assumed that Google would have better abilities to track/capture these types of activities. They must be spending their money on advertising instead of policing their search engine.
There is an simple solution to this complex problem: Google should stop indexing all .cn websites!!!
I will soon start a petition for this...
Hey,
My toothpaste has anti-freeze, my kids play with lead-tainted toys, my fish has mercury and now, when I google my name I find .cn-tainted results.
What are we waiting for to attack China? They have already attacked us!
very interesting article :)
Any updates on this story? What, if anything, has Google done about this?
Good artcile. Want to know more. Thanks
Very good Article , and i think will follow manny other attempt like this ... hovewer the big G mess everiday with our websites ... he becomed an hungry Adwords eater ... so i don't think will last too much. Until 8-9 years ago nowbody didn't belive it will exist a search engine better than MSN or Yahoo... right?
I have this virus...please help..how do i get rid of it?
when i search my name in the google search feature i get a lot of spammed results pages as described in this article, however they are not .cn links. instead they are .com, .html, and .xls among others. it's a really disturbing problem because of the nature of the web results that are coming up. sometimes last names of people in my email address book appear. sometimes the words are random and at other times they are offensive. i'm ready to hire a lawyer that specializes in web content and privacy rights. if anyone has any further tips, please let me know. i've been reporting all these indexes to the google spam report link. i dont think it's been working.
Such an informative article and interesting to but i think Google makes many changes the strategies to prevent this types of spams.
Such a nice article.
Google need to crack down on those spam so as to bring law and order to the internet community. They are the king of the web, so whatever they do will have an impact on all the webmaster.
I dont think google particularly care to be honest. After all, if the serps are poor, the users will click more of their paid ads!
I feel google will do something to it. Now went you search for something, "craps info" will turn out on the top of the pages.
It seems that the serps are still providing a lot of very poor results. In the last few weeks I have seen major increases in the number of sites theat when visited instantly redirect and try to force the download of various dodgy software with no way of exiting the site other than agreeing to the download (or using taskmanager to kill the process!) Google needs to sort this out asap as its users will soon stop clicking results if this continues to happen. I'm pretty close to that stage now!
jk, we recently had our website completely cloned and visible under another websites domain. Every page copied and available as if it was their website. We emailed their ISP, registrars, google and the web owners direct and 6 weeks later still nothing has been done. Dont hold your breath mate! I imagine legal action is not cheap!
Jamie,
I understand your concern, legal cost are expensive. You just threaten them with legal action, i think they will put down the site unless they are hosted in countries where there is no law and order.
Hi Bahamut, We did threaten with legal action ad nothing was done! We thought their host may have bothered to do something about this but no joy! We recently heard though that spammers can actually fool the whois details to actually show their own so the ISP never actually gets your complaint. We will keep trying though!
My site Blog Topsite recently got alot of spam submission, mostly from spam sites trying to get more traffic to their site. Hope google will be able to stop these spam site and penalise them from spamming.
Jamie,
Hopefully there will be justice done for you. It is very painful to see one's hardwork in a site being copied by others, i can feel your frustration.
Have a nice day!
My directory got lot of spam recently, not sure if it is done by machine or human. Is there a way to stop the spam?
Silane,
I think you are spam by programs, i have read from somewhere that there is a certain program which is able to spam. Maybe you should add word verification to it to prevent further spam.
It seems that the serps are still providing a lot of somewhat poor results. In the coming few weeks I have seen major increases in the number of sites theat although visited swiftly redirect and try to force the download of impulsive dodgy software soiree no way of exiting the site other than agreeing to the download (or using taskmanager to kill the process!) Google needs to sort this out asap as its users will past arrest clicking results if this continues to happen. I'm pretty close to that stage now!
I feel that google is still not taking action against those malware site. Hopefully they are able to coorect this issue, if not, those poor advertiser will pay for clicks which is not useful to them.
I hear on some forums that google is currently in the process of a big upgrade which is seeing a lot of spam sites wiped from the serps but the uk serps still have a lot of these sites listed.
Its been what 4 months already, I would think if they were going to do something big they would have done it already. I must say that is some sweet cloaking.
Yea I wouldnt mind getting my hands on such a script..ah to dream
I dunno I dont think I have ever seen a .cn site on the first page, what terms are these?
Yep the serps have been shaken up lately apparently to clear out the ever present spam sites but they are like roaches man, when you kill one 10 more take its place.
Excellent article you really get an idea of the hole problem, well and interesting written. keep on your great work. i love to read it.
yea this spam crap just keeps gettin better better doesnt it and google just isnt doing enough about it either thats why i stick to msn
We don´t need endless discussions about it, we need real solutions, so whats coming next? but a nice post!
yes we do need solutions but the mighty google seems to be busy otherwise
Dont for a minute think that google isnt kicking a*% and taking numbers. Theyre on top of things, they always are. They are just doing it incognito.
Google is a farce, as long as theyre making a killing they really dont give a damn. Yea once in a while they make a few crackdowns but really does it change much? I think not.
This is a cool site about Google SE! Thanks and wish you better luck!
P.S. Google the BEST!
I've seen an improvement recently on some search terms with no .cn sites showing, so perhaps google is addressing this issue.
yea..actually i dont think ive even seen a .cn rank, may i have and never paid attention, I hear theyre pretty pricey initially.
Yes. Although Google is the top search company, it is still machine saerching anyway. Therefore it is inevitable that it can be infested by spams and virus. However, we should realise that Google has been improving their search algorithm all the time. I would say for certain key words, it might be manipulated by infesting sites, but after a while, it will gradually correct it and put Wikipedia or other authortive site over the top of SERP. So Hilltop algorithm is quite good, but it is not the end.
Google has been kicking butt as of late, Ive just heard today of mass deindexing of thousands of pages even on some whitehat sites. theyre not messing around in 2008
yess, ive been reading the same in the forums, theyve probably already dealt with those pesky .cn domains and are now cleaning house. gotta love the big G eh mates
i can attest to the fact since google de-indexed several hundred pages across many of my domains last week and this was content I paid for Not exactly what I would consider crap content.
ok nice tip. i wouldn´t klick on cn-domains from google.com serps anmore. how do you find that all out? have you made tests and analyse it all? great work!
interesting thoughts: google is hacked not spammed. you mean there are some (maybe black hat) seos which game google how they like it? that is really scary and i don´t wanna think about it. i hope google will fix that problem. nice post!
After reading this article, I am bit surprised. The reason is that Google should be able to detect such "cloaking" spamming. Google hates it very much. I thought anti-cloaking was already a matured technology. Apparently spammers sometimes outwitted Google. Will be careful with such .cn sites in SERP
good tip nice post. i will be very carefull in future with that .cn domains. thank you for the hint.
thats really a shame, cn domains are very cost effective, cheaper than infos too.
Well infos and cn's cant rank for sh*t by themselves anyway, its just as well
I don't know why they doing that, I mean .cn only about $0.1.
I don't know any domain name so cheap. and lots of people don't like .cn domain anymore.
by no means should any domain name be so cheap, thats just begging for trouble IMO, look how much problems they had from the .infos and they were 99cents
It seems that some cn's have started ranking in yahoo uk now
that is really scary, is this damend spamming never stopping?
didnt you hear..they dont die they just multiply. Think about it do you really think google can come up with a flawless system to rid the world of spam. I dont think so
exactly dude, spammers are always on the cutting edge..the good ones anyway. Do you have any idea how much money the first page of the serps for buy viagra makes--> look it up. crime may not pay but spam sure does or no one would be doing it
Looks very interesting article :)
Thanks for sharing.
Really interesting article. And some good comments, will avoid these from now on. Google really needs to sort this. Thanks for the info.
i wish i found this article yesterday, i just purchased 50 .cn domains. gotta go return them now if i can
.cns are a great investment. You just cant beat the price, and with a little seo know-how they will rank just as well as any TLD
I read your article a while ago. Any news on this. Have not seen the problem in Germany so far
I had a few sites recieve a notice from google that it had virus laiden serps. Some where just pop-up and other flyin ads.
Hopefully google are able to come out a good solution for this. If not, true webmaster will suffer while those spammer will get away scotfree.
Man I bet there are those out there whom are trying to hack Google.
Very impressive post. it sounds really scary how some people are playing around with the serps and google is not able to do anything against it at time.
nice article. i wouldn´t klick on cn-domains from google.com serps anmore.
Thanks so much.
I do not think google is so easy to be hacked. They are paying high salary to employ those engineer to do the work. Do you think they are so easy to hack?
I agree with you, i also think google is not so easy to be hacked. Those who is playing around with serp will be punished.
I heard that google is trying to crackdown on those .cn domain which is toying around with serp. Any updated news?
I recently realised that my pc have slowed down due to some malware. Hopefully, google going to crackdown on those scam site....
Very interesting to know that there are site out there to install virus into people's computers. What are the benefits they get if the virus infect the pc? Do they get paid for it?
the point in a lot of cases is to have an multitude of infected pc's at their disposal for denial of service attacks
Excellent article you really get an idea of the hole problem, well and interesting written. keep on your great work.
thank you for the hint. good tip nice post. i will be very carefull in future with that .cn domains.
Nice article. I agree with you, I also think google is not so easy to be hacked.
Interest article. Thank you for info about .cn domains)
hell what an excellent article about the cn spam. thank you very much for sharing your knowledge!
It was interest!
It is good that someone writes articles which really matters something. Thank you for this article, it's full of knowledge which is hard to find in tons of rubbish in our famous world wide web. Regards and good luck!
Try my site please http://articlevalhalla.net
Thanks. Interest post..
Thank you for your work. This is a fantastic article.
Yeah, thanks for interest post. Info about .cn domains was interest...
Thanks for very interesting article. I really enjoyed reading all of your posts. It?s interesting to read ideas, and observations from someone else?s point of view? makes you think more. So please keep up the great work.
All the best
Looks very interesting. Thanks for article.
Interesting article. Are these spammers still succeeding after several months?
Thank you for making me aware of such an important issue.
I look forward to reading your next informative work. Thank you.
The google problem with spammers and scammers is getting worse by the day it seems.
you are right about that
well, a lot of exploited have been taken care of already. Google is making progress.
Nice article. Thanks so much.
I'm sure they have got it all figured out, just in time for the hackers to come up with some new methods.
Looks very interesting. Thanks for article.
oyun
google isnt sleeping, ive recently noticed warnings when you try to access certain websites thru googles search listings that the sites may be dangerous
good info, its quite dated though an update would be appreciated
There is an simple solution to this complex problem: Google should stop indexing all .cn websites!!!
I must agree with the poster above me. Google seriously needs to consider not indexing .cn sites. At the very least, an extra filter needs to be placed on them.
I sure am glad I found this post. I was noticing the same thing and stumbled upon you here. You wouldn't have any updates to share on this would you?
Great!
Thanks for article. Looks very interesting.
excellent article with a "behind the scenes" touch and informations on spam. thx 4 the great work!
Thank you very much for sharing your knowledge!
Thank you very much for sharing such a good article with us.
Looks very interesting article.
Very interesting article. Thanks for the thorough information.
I hear on some forums that google is currently in the process of a big upgrade which is seeing a lot of spam sites wiped from the serps but the uk serps still have a lot of these sites listed.
Such a interesting article.
Hope the mighty Google can tackle this issue as soon as possible. It will be devastating to our business, if these spammers attack our industry
Thanks for this good article..
Hope google going to tackle this problem.
I feel that no matter how google attack the problem, there is always some kind of loophole.
Don't worry, google going to banned them all.
Thanks for
oyun
Such an informative article and interesting to but i think Google makes many changes the strategies to prevent this types of spam.
hi,
I am from turkey.
Thanks for thist god post.
My sites ;
varmД±sД±n yokmusun
oyunlar
Thanks
Spammers have grown in intelligence twice as quickly as G.
I would think that the boys at Google would be able to track this type of stuff and get it corrected rapidly...
Interesting stuff, however I never thought this could happen to Google, but it has.
However with the size of Google and the man power, Google will sort out all of these problems before anything gets really serious.
I assumed that Google would have better abilities to track/capture these types of activities. They must be spending their money on advertising instead of policing their search engine.
Spom is a serious affecting web users. i HOPE Big G sorts this out
Google has abolutley sorted out the issues with iffy content now
Thanks very nice.
net gazetesi
these issues are now sorted thank goodness
Interesting theory, I like your blog, added to the book-marks, thank you
Very useful. thanks for the info. regards from;
http://www.orgu-evi.com
FYI:
I did an innocent search on PBR belt buckles and ran across this site:
C J's Metal Detecting Pages BucklesJeffrey Scott® Fine Magnetic Bracelets. Join the PBR. Belt Buckles. ... some buckles of photos Bullens Australias Circus show largest the 50s&60s. in Your ...
"mahaliapellot.interfree.it/1181.htm" - 31k - Cached - Similar pages
And after some redirects the malicious sites attempt to install a Microsoft ActiveX Object and commence a download of a file named "VideoAccessCodecInstall.exe"
You can not hardly back out but thank god I shut it down before it installed.
Is the .it domain from Italy?
Thanks for useful information. Regards...
This article is pretty cool and will save a lot of my time. Thank you
I think Google are able to sort out this mess fairly easily
Very helpful article. I am insert him on my site. Regards
The issues are now sorted Thank God
Thank you for this article, but it is certain that Google makes changes rГ©guliГЁtres against this type of spam.
Really interesting article. And Google really needs to sort this. Thanks for the blog.
I assumed that Google would have better abilities to track/capture these types of activities. They must be spending their money on advertising instead of policing their search engine.
Very nice article. Thanks so much !