Spam is a blanket term used for unsolicited emails, adverts, etc which have no relevance to the end user. Spam is used for a wide variety of internet crimes. Sometimes, it is deployed by hackers to trick innocent users into buying fake products or to click farming. Sometimes, spam is used to pollute the search results of competing sites. Spam usually targets users via lucrative offers like pyramid schemes, multilevel marketing, cheap pharma products, etc. Recently, a large scale Korean SEO spam was uncovered. The alarming thing about this spam campaign was the tricks it was using to pollute the search results of legitimate websites. Spammers are getting smarter day by day. Commenting on this, the author of the book “Spam: A Shadow History of the Internet” has written that,
The gradual predominance of the algorithm in the project of spamming appears in the filters and the spam created in response to them, in search engines and their manipulators, and, as will be shown, in the grand global project of the botnets.
Related article – How to Remove Japanese SEO Spam/Keyword Hack from your Website?
Uncovering the Layers of Korean SEO Spam
This Korean SEO spam typically targets common CMS files like index.php, functions.php, etc. Inside any of these files, the code can be found hidden in the base64 format. Once decoded, from the base64 format, the spam would again contain another layer of obfuscation as shown in the image.
As seen in the image, the hackers used the “Signature For Report” comment to misdirect anyone trying to analyze the code. However, upon further decoding, this code reveals the modus operandi of the entire Korean SEO Spam campaign. Which includes:
- Fetching Korean spam keywords.
- Caching them.
- Cloaking to serve different content to different visitors.
Related article – Magento, OpenCart & Prestashop Website Infected with SEO Spam?
Components of Korean SEO Spam:
Fetching the Contents of Spam
In order to fetch the contents of this Korean keyword hack the following link was used: hxxp://god.sm79[.]xyz/api.php?g=gitt. Upon visiting this link, it serves some base 64 encoded content as shown in the image below.
When decoded it looks something like this. This contains a long list of Korean Keywords and injection types.
Configuration Arrays of Korean SEO Spam Content
The content fetched from hxxp://god.sm79[.]xyz/api.php?g=gitt contains a large number of arrays. These assist the spammers in creating and spreading a large variety of spam. Some important arrays fetched from the link are:
1. A configuration array for spam rules so that you never run out of spam. It contains around 199 spam rules!
2. A configuration array of domains used to redirect users.
3. An array of around 900+ keywords(309 in one array and 608 in other) to be targeted. Some prominent keywords include “call girls for travelers”, “online gambling”, “off-white merchandise” etc.
Target Localization
This Korean SEO spam campaign targets only the traffic generated from Korea. This can be further explained from the code snippet of the spam given below:
if(strpos(strtolower(@$_SERVER[‘HTTP_REFERER’]), “.kr”)
!== false || strpos(strtolower(@$_SERVER[‘HTTP_ACCEPT_LANGUAGE’]),
“ko”) !== false){
…
die(‘<!DOCTYPE html><html><body><script>document.location=
(“‘.@trim($sc_arr[0]).'”);
</script></body></html>’);
}
The first line of code checks if the request has originated from a Korean version of search engine i.e. “.kr“. Moreover, the third line of code check if the user has Korean as the default browser language i.e. “ko“. Once, these parameters are satisfied, these requests are then redirected. Also, the spam contents fetch earlier contain an array of Korean cities to customize the spam content for each one of them.
Are your SERPs polluted by Korean SEO spam?. Drop us a message on the chat widget, and we’d be happy to help you fix it. Help me fix my site now.
Old Dog, New Tricks
Korean SEO spam bears multiple similarities to the Japanese SEO spam. For instance, Korean SEO spam also creates spammy doorways on many sites around the world. Another similarity is trying to sell cheap pharma products. Just like Japanese SEO spam, this too tries to claim the ownership of compromised sites.
Although the spam campaign is similar to Japanese SEO hack, the Korean SEO spam campaign features a new and alarming method of polluting the search results of legitimate and uncompromised websites. One of the configuration array in the contents fetched from “hxxp://god.sm79[.]xyz/api.php?g=gitt” includes a list if around 500 random sites. The URLs of these sites is stored in the following format: http://example.com/?s=[something]. The “/?s=search-string” at the end of each URL makes a request to the WordPress site to search a particular query. What the attackers did was to link the random sites to these Korean spam keywords. As mentioned before, the sites were uncompromised and therefore they did not return any results for these Korean keywords. However, the not found page did contain the keyword which led to Googlebot ranking the sites for these keywords.
To get a better picture, take a look at the example given below.
This page return simply states that the search query was not found. However, this also contains the complete search term with the spam keyword. The page also contains the name of site gmvcs[.]com which is being promoted during this spam campaign. A simple Google search of this site can, therefore, reveal millions of indexed pages. Whereas in reality, none of them contains this term. So, this basically pollutes the SERPs of legitimate sites with multiple spam keywords and promoted sites, leading to a negative SEO and a nightmare for their webmasters!
Mitigation
NoIndex
In order to avoid the search result pollution of your website, insert the following tag to your search result page:
<meta name=”robots” content=”noindex”>
Another alternative is to disallow indexing using the robots.txt file. Simply create a robots.txt file in the root folder and add the following code:
User-agent: *
Noindex: /
This can also be accomplished from other WordPress plugins.
Use Astra for Protection
Astra can detect the loopholes in your site especially the no-index part in case of Korean SEO spam. Also, having a complete security solutions such as Astra’s can protect your website from such future spams. Further, Astra Firewall blocks Spam attempts, SQLi, XSS, CSRF, bad bots and a hundred other common attacks on your website. Click here to add Astra’s protection layer on your website now!