Many black hat SEO campaigns use cloaking on hacked sites. Malicious scripts only inject spammy content when search engine crawlers request web pages on compromised sites. This time we came across an unusual cloaking condition.
We’ve been watching one spam campaign that uses php functions with names like __e_accelerate or __e_accelerate_engine for quite a long time. It normally used this cloaking condition:
if ((substr(trim($_SERVER['REMOTE_ADDR']),0,6)=='74.125') || preg_match("/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i", $_SERVER['HTTP_USER_AGENT'])) {...The spam is being injected only if web pages are requested from Google’s IPs (Google has an IP range that begins with ‘74.125’) or if the request’s User-Agent header belongs to crawlers of the most popular search engines: Google, Bing, Yahoo, Ask, etc. This condition is more or less typical to cloaking conditions used by the majority of other black hat SEO campaigns.
To our surprise, recently we found a variation of that e_accelerate malware that had the following cloaking condition:
if (!preg_match("/(ahrefs|majestic|baidu)/i", $_SERVER['HTTP_USER_AGENT'])) {...So now this malware injects spam to requests from both search crawlers and humans. They only hide their spam from Ahrefs.com, Majestic (ex MajesticSEO) and Baidu. The exclusion rules look unusual, don’t they?
Let’s try to figure out what’s going on. When checking the injected spammy text, I can see that it has scripts that make the text invisible in browsers that execute JavaScript (i.e. all modern browsers) so it’s safe to “show” it human visitors.
To understand why they hide their spam from Ahrefs, Majestic and Baidu, we should know what these sites do.
Baidu is the #1 Chinese search engine. By hiding spammy links from Baidu, they prevent them from ranking well in China. So they are simply are not interested in Chinese traffic.
Ahrefs and Majestic are SEO tools that allow to view backlink profiles for any domain. They have their own crawlers, and the volumes of pages indexed by these tools are not much smaller than Google’s index. This means that if we check information for domains used in spammy links, we can easily find hacked sites that link back to them. So the goal of hiding spammy links from Ahrefs and Majestic is preventing easy discovery of the sites hacked by this campaign.
By the way, they currently promote these sites:
- buycialistadalafil[.]org
- buycheapsildenafils[.]com
- writemypaper-online[.]us
- buy-essayforcheap[.]xyz
… and despite of the spammers’ efforts, Majestic has backlink profiles for some of them 😉
This malware can be usually found in WordPress index.php or in Joomla! includes/defines.php files. If you need a professional help with cleanup, you can request it here
Denis Sinegubko
Antony Garand
Luke Leal
Yuliyan Tsvetkov
Krasimir Konov
John Castro