Google -> Doorway -> Google -> Spam

Just a few thoughts about an interesting behavior of a black-hat SEO doorway.

Typically hackers create doorways on compromised sites to make search engines rank them for certain keywords and then, when searchers click on the links in search results, those doorways redirect them further to a site that hackers really promote. Sometime that redirect may go through some TDS (traffic directing service) but the whole scheme remains pretty much the same:

Search results -> doorway -> beneficiary site

Today, when doing a backlink research of one of such pharma doorways, I encountered a different scheme — a one with a loop.

The doorway had this URL structure:

When I checked it in Unmask Parasites or in Google cache, I saw spammy content with links to doorways on other hacked sites. Quite typical.

When I opened that page in a web browser, it redirected to a TDS

hxxp://bh2r3gof .biz/sutra/in.cgi?5&from=90dc16aaf3e24ea68c94c3f784a37ff9&gdw=w-48&gdf=%2F90dc16aaf3e24ea68c94c3f784a37ff9-f08f149982bf04ffaa308aba00b2d569.txt&

Cloaking and conditional redirects to traffic directing services are also quite typical for doorways.

Then TDS made another hop:

hxxp://bh2r3gof .biz/sutra/in.cgi?5&from=90dc16aaf3e24ea68c94c3f784a37ff9&seoref=8bB06MP5xFTR3TkqmNILbbW5mW30f%2B%2FMiQdbatwxiv5CUUTkQjEO75VtTs7IRqdVTmPfmX……..2FIXHlBdqV6iDd1ruYQMhqmYVCozdkTrAN76fOABicz

And then I ended up on … Google:

Google results for prednisolone without prescription

And that is not very typical. But interesting.

One one hand, it looks like the spammers didn’t consider me as a target traffic (probably because of my IP) and redirected back to the Google search results page for the same query that I supposed to be using when found that site. For some, this chain of redirects may look as if they clicked on a search result and then Google thought for some time and reloaded the same page, which may look like just a glitch.

On the other hand, it looks like a second level of search engine optimization, when spammers fine tune a search query that may return better doorways. I can’t help thinking about this because when I see the search results on Google pages that the TDS redirects me to, I realize that most of them are doorways on hacked sites (yes, including those with fake stars in ratings).

Google search results for prednisolone australia

I know, it’s quite pointless. Why redirect people who already clicked on your doorway to a new set of search results? Although those results may contain some of your other doorways, there is no guarantee that the searcher will not go away or click on them and not on links of your competitors? And you can’t control Google search results — it may happen that there will be no your doorways on the results page.

OK. Let’s try to think as the TDS owners. The TDS recognizes the traffic that it doesn’t need for the pharma campaign. It may

  1. redirect it to pharma landing pages anyway (which may decrease the quality and the price of such a traffic)
  2. dispose of that traffic altogether (redirect it to a neutral third-party site, like Google)
  3. try to monetize that traffic anyway — redirect it to some scam site, porn site, malware site or any other resource that knows how to take advantage of low quality traffic.

<warning:unfounded speculation>

But what it the spammers also run another campaign that targets the traffic that doesn’t fit their pharma campaign? They can simply redirect the traffic to landing pages of the second campaign. But such traffic will not be targeted. People searched for different things. So maybe it is worth it to “re-target” the traffic and redirect the searchers to a Google result page for keywords relevant to that second campaign and that contains links to their doorways.

Here’s the scenario:
People search something on Google and click on some result. For some reason Google reloads the page and shows them completely different results for a different query. Some searchers will definitely leave (don’t worry, this was unwanted traffic anyway) but some may become interested in what Google offers them and click on results (after all spammers usually promote something that people need and if it comes from Google it looks more legit). So, instead of either lost or untargeted traffic, they get targeted traffic of people who willingly clicked on search results. All they need to do is make sure their doorways dominate for relevant search queries (shouldn’t be hard since the TDS provide the search query itself and there is no need to rank for short generic queries.)

</warning:unfounded speculation>

OK, enough speculations. That particular campaign was not using the second level Google optimization. It simply dumped unneeded traffic back to Google. When opening the same doorways from different country IPs, the TDS redirected me to a random “Canadian Pharmacy” site from its pool of about a dozen of sites.

Anyway, the point of this post is despite of Matt Cutts’ recent announcement of rolling out the second ranking update for “very spammy queries” I still see that 50% or more of top search results for pharma keywords still point to doorways on hacked sites.

And as long as “very spammy queries” return “very spammy results”, there will be incentive for black hat SEOs to hack sites and create doorways there.

Related posts:

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips