First of 2 parts
MANILA, Philippines – What if someone asks you to pay them $36 (P2,058)* to remove unwanted backlinks from their website to yours that you didn’t ask for in the first place?
For the average Internet user, the idea of charging for the removal of bad backlinks may seem absurd. In the evil world of black hat search engine optimization (SEO) operators, however, it makes perfect sense because there is a market out there that can be exploited. Moreover, it is a potentially lucrative business.
At the end of July 2022, we discovered that Rappler, ABS-CBN, Philstar, among others, were heavily spammed by thousands of dubious websites that an SEO monitoring tool described as “potential link networks”. This made stories from these sites less visible in search results.
While being linked to generally beneficial websites, having many backlinks from toxic and spammy sites is a whole different story. Search engine giant Google, which uses backlinks as one of many signals to determine the relevance and importance of specific online content, has struggled with manipulative link building schemes for years.
Very recently, a Google search expert has already confirmed that in cases where there is a clear pattern of spammy and manipulative links by the site, their search algorithm may decide to just distrust the entire site.
If left unchecked, these spammy backlinks could reduce traffic to affected sites, something news websites that rely on traffic from search results can’t afford to ignore. Rappler discovered the problem after seeing a sharp drop in traffic from search results in July.
A Negative SEO Extortion System
To combat spam attacks, we partnered with Swedish digital forensics group, Qurium Media, who we had previously worked with when Rappler and other Filipino newsgroups faced an increase in denial of service attacks. distributed (DDoS) before the May 2022 elections. (Qurium’s survey can be found here)
We analyzed data on backlinks to Rappler and other news sites, collected more information, and identified patterns that could lead us to potential culprits. Our in-depth analysis drew our attention to a Swedish SEO operator’s online extortion scheme.
The black hat operator charges $3 (P171.55) per month or $36 (P2,058) per year for each link a user adds to their site. Dear, right? But not as expensive if you compare it to the price of removing unwanted backlinks: a whopping $36.
If you factor in these prizes and the number of backlinks targeting the three Filipino news websites, the potential windfall could range from hundreds of thousands of dollars to over a million dollars.
This assumes that the victimized news websites here could afford this hefty price tag.
The monitoring tool flagged tens of thousands of websites linking to Rappler and other news sites with markers indicating that they are part of “potential link networks:” These have either the same IP address, same URL path, page titles, root subdomains, Google Analytics and/or Adsense IDs. Thousands have also been flagged as mirror pages, meaning the websites are imitators of others within the network.
Identification of spammers
The tool did not give us specific credentials. Thus, we collected additional data to see if there are indeed links between the websites. This included historical domain registration information, IP addresses, as well as identifiers such as Adsense and Analytics IDs.
An IP address stands for “internet protocol address,” a series of numbers that identifies any device, such as hardware that holds a website, on a network. Human users now typically use domains or URLs (such as www.rappler.com) to access websites because it’s easier for us to remember strings of text than a series of numbers. But IP addresses are still used for computer-to-computer communications on the Internet as well as other networks.
Although this is not always the case, websites that have the same IP address could potentially be managed or belong to the same group.
The other data points we collected are tracers that can be found on the code of websites. For example, the Google Adsense tracking code can be found on sites that use Google’s web monetization service to enable display advertising. On the other hand, the Google Analytics code allows website administrators and owners to track website traffic.
Finding similar tracking codes in a group of websites usually indicates that they have the same website administrators or owners. To get the tracking codes, we had to extract them from the code of the websites flagged by the SEO monitoring tool.
Combined, the above information could help identify groups of sites that may have the same owners or administrators. The network graph below visualizes these clusters. (Due to the amount of rendered data, loading the full visualization may take a minute or two.)
Some of the big clusters in the network map are sites and apps created through services like Blogspot, Firebase, Netlify, Typepad, Weebly, Appspot, Booklikes. These sites are hosted on the same service, which means they have the same IP address.
Because they are free services or have free tiers, these services are often exploited by black hats in link building schemes.
However, being hosted on these sites does not necessarily make the sites suspicious. What’s other indicators: many of these are direct links or directly embed images or assets from news websites, abusive behavior. Many also use content that is either copied from other sites or clearly created using automated content generation tools.
Unfortunately, like Facebook and other social media accounts, it is very difficult to trace the real owner of these sites. It should be noted, however, that the websites of these large clusters are linked to other clusters with trackable identifiers.
Stalking a black hat
The next group that stood out was a group of sites that shared the same title: “The Globe – The World’s Most Visited Web Pages”. The cluster was particularly interesting because, of the websites flagged, the tool categorized these sites as either highly toxic or likely part of link-building programs.
The search monitoring tool revealed hundreds of similarly laid out websites with the same browser title. These websites not only targeted Rappler, but also ABS-CBN News and Philstar websites.
Random checks of websites in this group showed that the sites were almost uniform in terms of appearance and content – consisting of a logo with the image of the globe and an invitation to visitors to add their web pages and products to the Globe website. Other than that, websites usually have a long list of links to various websites.
Further checks showed that most of these sites linked or redirected to the website http://theglobe(dot)se
Working with Qurium Media, Rappler found that this group of sites didn’t just share the same titles or look and feel. More than a hundred sites with these characteristics, which were linked to Rappler, shared the same IP address (188.8.131.52), which means that they were hosted on the same device.
How does a network of websites with very little informational value to end users and no visible advertising profit from repeated links to other websites?
This is where the backlinking extortion scheme comes in. If you go to http://theglobe(dot)se/, you will find a hyperlink with this text: “lagg till lankar” (in Swedish to “add links”). Clicking on this link takes you to a web page that charges $3 per month or $36 per year for each link added to the site.
In total, more than 500 websites, including hundreds of sites that spammed Rappler, ABS-CBN and Philstar, are hosted on this IP address.
Some of the domains for these sites were privately registered, which means that the person or entity that registered the domain has been removed from the records.
However, at least one site had a publicly visible holder as of December 2021: an individual named Richard Genmar whose listed address is in Stockholm, Sweden. The domain is the-search-engine(dot)net, a website that targeted both Rappler and Philstar.
In April 2022, the registration of the holder of this website was deleted from the domain registration records. But it is highly likely that the owner and nature of the website has not changed, as a snapshot we found of the site on the Wayback Machine showed that the appearance of the website in December 2021 was the same as it is today. today.
We researched other general information about Richard Genmar online. His name, Jan Richard Genmar, also appears as the owner of “The Globe” trademark, the logo featured on websites hosted at IP address: 184.108.40.206.
In a government list of companies operating in the UK, Genmar’s name also appears as a director of The Globe, Int. LTD. The UK government’s file indicates that he is Swedish, but this could not be independently verified. The website itself has a disclaimer that says, “Companies House does not verify the accuracy of any information filed.”
We dug deeper into the IP address 220.127.116.11 and discovered that this device is on the server infrastructure of Telia Company AB, a Swedish multinational telecommunications company and mobile network operator with operations in Sweden, Finland, Norway, Denmark, Lithuania, Latvia and Estonia.
This specific IP address had previously been flagged for abuse in connection with web spam. – with Bingbong Recto and Ogoy San Juan/Rappler.com
(To be concluded. Part 2 discusses the business side of a negative SEO operation and how it works. It also explores options for affected site owners.)
*Conversion rate: $1 = P57.18