Posted on March 7th, 2016
Well we weren’t hacked directly, it was “indirectly”. If you own or manage websites, this could happen to you so listen up…
Let me tell you, out of my entire life online (and offline).. I’ve seen and done it all. I’ve designed over 200 websites, I’ve tirelessly studied search engines/robots, I’ve seen some outrageous hacks and have pulled off quite a few myself. But this is FASCINATING…
How is the internet search giant Google allowing themselves to be exploited like this? They are supposed to have the brightest engineers in the world on board.
We can be in control of over 50 .com’s at any given time that obtain a ton of traffic. Millions and millions of visitors/hits every month across multiple websites. Obviously, anyone would love to steal our traffic and send it to their own website, right? #duh
So these hackers that are out of Poland, and maybe some other countries by now, are hacking the Google search engine results. YES, Google’s search results.. the internet’s GIANT search engine. You’re like WTF, right? So let me explain further…
Let’s say you have a huge brand name for a product called “My Product Trumps All”. Naturally when a web user goes to Google and completes a search query for “My Product Trumps All”, the #1 result should be your website (unless you and your webmaster are clueless).
So now, the #1 search result at Google (which is a link to your website), when clicked on, links to a bunch of spammy pornographic content on some OTHER website.
Let me tell you that if you’re doing thousands (or millions) of dollars in business and you’ve realized this has happened, you’re bound to lose control of yourself. Your first thought is going to be… “WOW WTF! My customers are searching for my brand name at Google and the resulting link is taking them to a porno website!” Even more dangerous is if you aren’t constantly keeping an eye out for these things, weeks or months could go by and you wouldn’t even realize this has happened! Imagine how costly that would be to your business…
No, this is not happening at BING and other search engines. Now let’s get a bit more technical as to the how’s and why’s…
These hackers (if you will) went ahead and hacked the shit out of this weak Joomla website in Iceland. The site was about some tours you can signup for in Iceland. Anyways, hackers tend to target/hack these Joomla platform websites because they’re weak and exploitable. They’re shitty un-secure web content managements systems (like WordPress). I’ve designed over 200 websites and I’d NEVER use a Joomla platform, I’d opt for WordPress I suppose.
So now these hackers have control over this lady’s website in Iceland, and she is completely CLUELESS. I called and emailed her to advise her that her website was hacked. She’s like, “OH OK, COOL”, and did nothing…
Now these hackers scraped content from 2 of our websites (stole the text, photos, videos, etc) and put all of our content on the lady’s website that was compromised. Once that was done, they exploited Google’s search engine robot (aka the “googlebot”) into thinking that the hacked website was the real genuine brand site. As a result of this, Google had de-indexed our home/index page and replaced it with the compromised site’s page. Subsequently when you click on the google search result, the page would link to some pornographic content. It is always a sub-domain of the hacked website. This way the site’s owner doesn’t even know their website has been hacked as everything looks normal on the “front end”. They’re dumping all this spammy content in sub-directories off the root. These hackers were getting money per click via some spammy pornographic affiliate program LOL (I’m glad I can laugh about all of this).
Also you should know- when you looked at a “cached” version of the google search result, it did indeed show our correct authentic webpage. In all of our cases, the website that was hacked was always running on a Joomla platform. Furthermore if you did a google query for the hacked domain, Google would even recognize this site as malicious and advise “this site may be hacked”. Yet their still allowing the results to display for other search terms:
Here are the steps we took to correct this:
1. We notified the hacked website’s owner via telephone and email that their website has been compromised. We sent some examples proving such (screen shots, google search query results, etc).
2. We then determined who is hosting the hacked website and advised their “abuse” department that the site has been compromised. The host should normally shut the site down and take it offline until it gets it’s issues resolved. We also sent some examples proving such (screen shots, google search query results, etc).
3. Now, in between <head> and </head> of the document, we added a base href tag or a canonical tag to the index page (1 tag or the other – this may or may not help). This tells browsers (and crawlers) to open any relative links in such way. IE:
<base href=”http://www.YourDomain.com/” />
OR a canonical tag
<link rel=”canonical” href=”http://www.YourDomain.com/” />
4. We now determined the IP of the hacked website via ping, tracert, etc in Command Prompt. Then we went ahead in the .htaccess file and blocked the IP/domain. IE:
————————
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} TheHackedDomain\.com [NC]
RewriteRule .* – [F]
:and then:
Order Deny,Allow
Deny from 0.0.0.0 (the domain’s IP)
allow from all
————————
5. We then reported the compromised site to the google web spam department via their contact form here.
6. Now, we confirmed that the compromised domain was indeed linking to us via google webmaster tools by downloading the latest links. We then went ahead and submitted a disavow file via google webmaster tools to disavow this link at the domain level.
7. We now went back to google webmaster tools and did a “fetch and render” of the home/index page. Once this was completed, we submitted the page to the index. This should force the googlebot to return to our website and get a fresh snapshot of the page.
8. Lastly we tweeted and emailed everyone at google we could to beg for assistance. This included the head of the web spam team, the CEO and a few others.
9. We are now noticing that all of these hacked websites are on Joomla platforms. We’ve gone ahead and notified Joomla’s abuse department with details and a link to this thread.
As we were thoroughly researching this, we’ve learned that this has been going on for years (off and on). It seems to mostly be referred to as “proxy hijacking” and has been primarily happening overseas (non-usa). I don’t believe this has happened much for the USA search results, until now. I guess it has finally arrived.
Hopefully Google can plug this hole soon as this is disastrous (ONCE AND FOR ALL). They’ve obviously been a complete failure at combating this issue as it is STILL HAPPENING. If this information only helps one of you, then good! It was all worth the effort putting this together for you…
Here are some other informative threads we’ve came across while researching all of this. Barry Schwartz is writing all about this here:
His original article dated 02/08/16: here.
His second follow-up article dated 03/01/16: here.
Webmaster World Thread: here.
If you have any help, additional feedback, or simply would like to contribute to this topic- please comment, share, send us a message, etc.. We will append to this post accordingly…
Regards,
Exe Productions
Next & Previous Articles
this should be useful for future reference, thank you!
This is happening to us right now! Thank you for the help..
-Mogul Media
Not only Joomla webistes are hacked by this method. Compromised are also pages on WordPress with TinyMCE plugin.
Super inomvfatire writing; keep it up.
Hi
unreal this is happening to us right now =( thx for the info!