“Play One” Hidden Style Obfuscation

For many years, spam injections placed inside legitimate pages remain one of the prevalent types of black hat SEO hacks that we clean. Hackers constantly invent new tricks to make spam blocks invisible to human visitors while indexable by search engines.

The simplest trick is to put spam content inside a <div> with the display:none style. This is quite straightforward and easy to detect. A more complex evolution of the same idea is making the <div> invisible at pageload time using a JavaScript code like this:

document.getElementById(‘spam-div-id’),style.display = ‘none’;

It’s still easy to see which <div> is being hidden by the above code. So the next step in the obfuscation was a dynamic generation of the spam div ids inside the code. We described this approach in the “Double Hidden Style” labs note a couple of years ago. Hackers used random “numeric” div ids and mathematical expressions to generate the ids in the code:

<div id="232">...spammy content here...</div>
<script>document.getElementById(116*2).style.display='none';</script>

The code still looks suspicious as it’s clear that it makes something invisible. So hackers improved the obfuscation – in addition to a more complex mathematical expression, now instead of the suspicious “display” and “none” you can only see benign “play” and “one”.

<script>(function(g,h,i,f){i.getElementById(f).style['dis'+g]='n'+h;})('play','one',document,214*102+105);</script>

The script remains short but it’s not that easy to tell what it does when you first see it. However, when you look at it more thoroughly, you can notice that it does exactly the same thing – hides an HTML element with a “numeric” id:

document.getElementById(214*102+105).style[‘display’]=’none’;

This is just one line of the spam-hiding code evolution. There are many other approaches that hackers use to hide spam injections from human visitors and make them look legitimate for search engines. We are here to help you detect them and remove malware from your sites.