Investigating the negative SEO threat

2 years ago
Eric Vanderburg

I was talking to Mark Schaefer and he said that SEO content today is about insight rather than quality.  This reminded me of a case I worked on. As many of you know, one of the many hats I wear is that of a cybersecurity private investigator. A client called me to report that his website was no longer showing up in Google search results. The cause became apparent shortly after I started investigating. Someone had built hundreds of websites that listed their key search terms frequently. Not only did these sites rank higher than my client’s site, but they also warned users that my client’s site was allegedly defrauding its customers. We were dealing with a negative SEO threat.

The world of Search Engine Optimization (SEO) is one where the rules are constantly changing. The big search providers change their criteria for ranking sites and then individuals who understand SEO, modify web pages and processes for promoting their sites, so these sites can appear in more search results and gain more business. Overall, the process is a positive one, resulting in better search results and more refined websites. However, some SEO tactics are not so benign.

For example, search engines used to rank sites based on how many times their site was linked to by other sites. In response to this, some companies created many bogus sites with links back to their site to influence their search rank. Much of the blog spam that contains embedded links utilizes this SEO tactic and the end result was an SEO bubble of sorts where some site ranks were greatly inflated. Search users had to wade through too much garbage to find real content so the search providers changed their strategy to assign a quality ranking to inbound links. Sites were penalized if much low quality links referenced their site in an effort to discourage their use but this also less idealistic individuals the tools to attack others using by performing actions that penalize competitors or other targets.

Negative SEO techniques are being used on targets such as competitors or those with opposing viewpoints to lower their search rankings and diminish their web presence. In my client’s case, the pages the sites mentioned his brand, also mentioned other company brands in other areas on their sites, implying a negative SEO service for hire. Research on the sites themselves was inconclusive as the sites were hosted at various locations around the world with fake contact information.

The first step in combatting negative SEO attacks using inbound links is the disavow tool. However, these sites did not link back to the official company site so a different tactic was required. The sites that listed the client also listed other companies, so I researched them to try to find a common thread. Unfortunately, no common element was found which led further credibility to the theory that this was done through a service. I contacted some of the companies and asked whether they conducted an investigation and whether they would be willing to share information but found that an investigation was not performed or they were not willing to share information.

Our next course of action was to perform more active probes. I set up accounts at various service broker sites, which I like to call “micro-outsourcing” sites, such as Fiverr, Gigbucks, Tenbux, and others. I then searched for SEO related services and purchased services where the description implied that black hat techniques might be used. I created several test sites and monitored search results for the sites to see where the traffic was coming from.

I eventually saw activity from a few of the sites that were initially used on our client so I traced the key term back to the transaction and worked with the micro-outsourcing vendor to identify the user and IP addresses used to log on. I then coordinated with local law enforcement in that country to prosecute the individual and also to obtain information on the entity that contracted the work against our client.

In the end, the lesson learned was that companies need to pay attention to their SEO, but also to potential negative SEO campaigns and know the tools and companies to work with if they are targeted for such an attack.

Information in this blog post was intentionally vague and some facts were changed to protect the identity of those involved.