A week after the hijacked search results

About a week ago I wrote a story on how some search results over at Google were really off and actually featuring links to sites that exists only to steal your information and scam you in every other way possible. The story got quite a bit of attention from well known people in the search industry and rightly so. This is a follow up to that story, and a bit of analysis on the effects and what we think is going on.

A recap of what happened

Starting December 1st, we noticed that some of our high volume and high ranking keywords were suddenly significantly down. Some of them were even pushed down to 2nd page, which is basically the place where you put stuff that you want never to be found. So naturally we were curious on what was happening and noticed new sites on the first page. If you want to read all this in more detail, head over to the part one of this story.

The websites on the first page for these specific keywords (free games download etc.) are well known, and there have not been much of changes over a long period of time, excluding the normal movement that always happens. What we found was a bunch of sites that appear normal, but have actually been hacked by someone or a group of people. If you clicked on the link on Google, you were taken to some shady looking site via a couple of redirects. But at the same time if you just copy-pasted the link into your browser, the site appeared normal. This was a clear indicator that something shady was going on.

Obviously we reported the sites to Google webspam team and flagged the ads on the landing page. You might think “Okay, mission accomplished” but nothing could be further from the truth. We noticed that the hackers were after other sites and keywords as well, for example HBO, Nick.com and numerous others were targeted. Below is a short clip on how they used a totally unrelated site to show content from HBO.com.

HBO, Nick, Gametop and others targeted

Nobody is expecting Google to be perfect, but their system is scary good at delivering relevant and high quality results for your queries, most of the time. When it comes to online businesses, a good share of traffic can be attributed to the good old Google search traffic. Of course in the short term you can drive traffic via all kinds of channels, but regular organic search traffic is almost always higher quality, cheaper and converting better. The problem is that it takes time and effort to get your site ranking, let alone on the first page.

Gametop.com has been around for more than a decade, doing the right thing, following the guidelines and in turn has been rewarded with good organic rankings over the years. For sites with high volume, this is really worrying trend, if the search results can be manipulated seemingly so easily. When we started digging around, we saw that HBO.com and Nick.com were targeted as well. And of course, most of our competitors in the casual gaming niche were getting their share as well of the attack.

Here’s a screenshot from Searchmetrics on how Nick.com Ninja Turtles games page got hit hard.

Taken down, one after another

As you might imagine, we have been keeping an eye on this like hawks the past week. We noticed that one by one Google flagged these scraping sites as “hacked” and the last one taken down on the 8th Dec 2015 was www.jamesault.com. We have also observed that once a site gets “taken down” or removed from a particular set of search results by Google, the hackers have managed to raise another site just to replace it.

Some people have suggested that hacked sites are your competition as well, and you should just stop whining if you can’t outrank such sites. But at the same time you can look at the matter from a regular user point of view. If I would be searching for “free downloadable games”, I’m not expecting to be taken to a site that is trying to get my contact details, credit card information, and be covered with ads. That is a poor user experience and a dangerous one at that.

Below is a screen capture from one of the sites the user was taken to after searching for free games. It looks pretty convincing even if you don’t know how to read Russian, but of course their goal is to trick you to click on that green button and send them all your details in the hopes of getting a green card for US.

So far within a week we have seen five domains come and go (flagged as hacked).

  1. Phenixa.com
  2. Rowingbike.com
  3. Teamtalkmedia.com
  4. Ad-tech.co.nz
  5. Jamesault.com

Being flagged as hacked does not remove the site from the Internet or from Google. The site might not be ranking for specific keywords anymore, but the pages are still there. Most likely the site owner has no clue on what’s happening.

Does this look hacked to you?

In my personal opinion, a tiny text “This site may be hacked” below a gigantic page title is not doing much. How about making the “hacked” text big, bold, red and blinking to get the users attention?

For the redirect sites, it seems that the hackers targeted smaller sites that are probably not actively monitoring their traffic nor the sources. If you were to check your web analytics at least once a week, this kind of spike should raise some concerns.

How is this even possible?

With Google having the brightest engineering minds on the planet and a search algorithm that is supposedly capable of self-learning (RankBrain) already, one might ask how this is possible?

Apparently there is a flaw in the system which is being exploited by some hackers. It is common knowledge that the search algorithm consists of hundreds of factors that determine the position or “ranking” of a particular page for different keywords. It is equally well known fact that sites and pages on top positions have a high number of backlinks pointing towards them. According to Searchmetrics, the correlation between high position and number & quality of backlinks is slowly decreasing, but it still remains a hugely important (if not the most) aspect with organic search ranking.

So, how a hacker might get some random page ranking for a competitive term with a site that is totally unrelated to the query? We suspect this is something similar to what we saw a few years back when Google allegedly penalized the SAPE link network. Here is what we think is happening:

  1. Hacker finds a site with some outdated system (server, CMS, plugin, etc.) that gives a backdoor for the intrusion.
  2. Set up the system in such a way that the site keeps serving pages normally, unless the users comes via a particular search query from a search engine
  3. Use something to fool the search engine spider when they come to index the page contents
  4. Create a series of redirects to take the user to a specific landing page (covered in ads or phishing for user information)
  5. Build (buy) a massive amount of links to point towards the hacked domain to increase their authority temporarily.
  6. Wait for Google to pick up the backlink signals and have the page outranking others on the search results.

Obviously we can’t be 100% sure on what’s going on, but this is our current understanding of the situation. Gametop has attracted a good number of backlinks over the years because of the nature of the website. The games are completely free and full versions, so naturally a lot of people might be talking about them on their blogs, on Youtube and so on. To counter the quality and quantity (over 51k from 1.1k domains) of mentions and backlinks, one would require a massive push to get past us, unless there is something else which we don’t know about.

The impact on pages and categories

Typically we would not be sharing exact numbers, but I think in this case, these screenshots from our web analytics are required to highlight the severity of the case.

Our most popular page on the site is http://www.gametop.com/category/downloadable.html which lists every single game on Gametop. This graph shows a fairly steady traffic the week before December and the sudden drop starting Dec 1st. What you see is about 80% drop in sessions.

Another popular page is http://www.gametop.com/category/racing.html which has all the car games listed. This page had about 77% drop in traffic. We suspect this page (or the search results and keywords it is ranking for) was hit already a day or two before December based on the graph.

For a website that partners with Google (Gametop has only ads only from AdSense) this is obviously very stressful. Luckily the site has a lot of ranking pages, and we get traffic from other sources as well. For now, this is not catastrophic, but highlights the fact that this is a deliberate attack on only the high volume pages. In total this results in the loss of about 30–35% of revenue when compared to a period before the attack.

However, other categories such as hidden object games http://www.gametop.com/category/hidden-objects.html were not affected at all.

Results after hacked sites removed

A competitor who has been under a similar attack since mid October reported that their traffic did not come back to “normal”, despite the hacked sites got removed from the Google index and their site appearing on the first page again. For Gametop this is too early to tell yet, but you can be sure we are keeping an eye on the traffic.

Needless to say, this story is still very much evolving and I have a bad feeling there will be a part three coming up in the near future. Until then, I would love to hear your thoughts on this.

edited: Part 3 is already up

Click on the recommend button and share on Twitter if you feel this was valuable information. Add me on Twitter too: @juhakuvaa