Chinese Doorway Spam

Labs Note

We are seeing an increasing number of hacked sited with Chinese doorways promoting various fake merchandises (from Louis Vuitton handbags to NFL jerseys and Canada goose jackets).

Those doorways target both Western web searches and the Chinese. Here’s how they make sure the doorway correctly preserves search queries in Chinese (converting from UTF-8 to gb2312) when they work with Google search referrer string:

if (empty($_SERVER['HTTP_REFERER'])) {
    $HTTP_Referer = "n";
} else {
    $temp = urldecode($_SERVER['HTTP_REFERER']);
    if (strpos($_SERVER['HTTP_REFERER'], 'ie=utf-8') !== false) {
        $temp = mb_convert_encoding($temp, 'gb2312', 'utf-8'); //utf-8->gb2312

    }
    $HTTP_Referer = strtolower($temp);
}

Since Google uses “ie=ut-8” by default for most languages, queries using non-ASCII and non-Chinese Simplified characters will be garbled. Apparently the they are only interested in English and Chinese queries.

You May Also Like