Hiding Links Behind Punctuation Marks

In black hat SEO schemes, some links don’t have to have descriptive anchor keywords. For example, if their only purpose is help search engine crawlers discover newly created doorways. But even in such cases, the links should be hidden from webmasters of the hacked sites where they are placed on.

Recently, our malware analyst 12 notified the labs about an increased number of cases of database spam infections where (mostly) pharma links were injected inside the legit blog posts. What’s interesting about those infections is how hackers make the links invisible. In this case, they didn’t add any invisible blocks, didn’t add any additional text at all. They just made links out of some parts of existing blog content. Of course they realized that underlines and changing mouse would reveal that some words unexpectedly became clickable. To minimize the exposure, hackers 1). used the text-decoration:none style to get rid of underlines, 2). used the text parts with smallest footprints – periods at the end of sentences.

... some legitimate text<a style="text-decoration:none" href="/index.php?w=coversyl-online-bestellen-legal">.</a>

Such links are virtually invisible to human visitors and at the same time when search engines crawl the compromised sites, they discover links to spammy doorways (e.g http://infectedwebsite .com/index.php?w=coversyl-online-bestellen-legal in this particular case).

This trick is smart but it may only fool people who rely on visual web page inspection only. To security scanners like SiteCheck or Unmask Parasites such period-links are as visible as any other types of links so the infection gets easily detected.