Reporting Suspicious Styles

Back in 2008, the very first task that I created Unmask Parasites for was scanning web pages for hidden links.

I read an article about thousands of WordPress blogs being stuffed with dozens of invisible spammy links. I had a self-hosted WordPress blog too and that article made me think if there was some easy way to figure out whether my blog was hacked, something less laborious than manually examining the HTML code link by link. So I decided to create a tool that would show all domains that my web pages linked to highlighting those of them that had “invisible” styles. This approach has proved to be very efficient in identifying black hat SEO hacks. In most cases, a glance is enough to spot such problems.

It works well even when the tool doesn’t highlight links as “hidden” (either because the “hiding rule” was not detected or because it scanned the “cloaked” page created specifically for search engines). You can still see the links that clearly don’t belong to your site, which tells you that something’s wrong.

However, looking for suspicious links is not the bullet-proof method for detecting spam injection issues. For example, in my yesterday’s post on Sucuri blog, I wrote about fake WordPress plugins that used to injects spammy links and a JavaScript code into web pages. However, at the moment, they inject some hidden spammy auto-generated text that doesn’t have any links.

spammy block

You can use this Google query to reveal affected sites [cigarettes AND (“3200 unhealthy” OR “3300 hazardous”)]

I don’t know why they do it, but webmasters should definitely be warned about such injections because it’s a sign of a problem that should be fixed as soon as possible. This is actually more serious than just a factor that can potentially affect site’s search ranking. Those fake plugins fetch the spammy content from remote servers and inject it into blog pages on the fly. This means that hackers can change it any time and the same moment the new spammy block will be injected into all compromised sites. Or it can be a malicious block, which makes things more serious as it will affect all visitors to those sites too.

Unfortunately, such injections were not reported by Unmask Parasites since there were no links in the spammy block. After thinking about the problem, I decided that Unmask Parasites should also report pure HTML tricks such as that clip:rect style trick that hackers use to hide their injections.

So , starting this week, you may see the “Suspicious Styles” section in Unmask Parasites reports.

suspicous style

In this section, you will see excerpts of the style definitions that Unmask Parasites considers suspicious. If you see it in your site reports, then you should check the HTML code of your pages and figure out whether that style is a normal part of your pages or it was added there to hide something illicit.

Note, if you can’t find such code in your web pages, it doesn’t mean it is not there. The code injection can be conditional, and server files may fetch it from a remote location (as in this case with fake WordPress plugins), or it can be encrypted. Just remember that Unmask Parasites works in real time (some results may be cached for up to an hour) and if it reports something, then you can be sure it was on a web page at the moment of scanning.

To Unmask Parasites users

If you like Unmask Parasites and want to help improve it, you can inform me about interesting tricks that hackers use to hide injected content Or send me examples of infected web pages where Unmask Parasites doesn’t report any problems.


Related posts:

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips