Hiding in the Shadows of Penguin
Let me start out this post by saying that I am about to describe what I believe to be a case study in negative SEO. However I don’t have the “proof in the pudding,” “the smoking gun.” In other words I can’t tie the activity I’m about to describe to a perp (crime show talk for a “perpetrator”). This is precisely the world Google ushered in with Penguin and its penchant not merely for neutralizing link spam, but actively penalizing it. It’s a world made possible by Google’s black box decision-making process, the clever villainy of technically savvy and mercilessly opportunistic scumbags, and the apathy of people who create safe havens for them to operate (Google appears to be one of those as well).
Nevertheless, read the post and see if my conclusions are reasonable. If they aren’t, tell me why not. On the other hand, if you agree with me, agree to rant and rail against Google’s wrongheaded practice of penalizing bad links with no effort to determine the reasons they were created.
A word of caution is in order. This article is intended for SEO professionals at the intermediate to advanced level of their profession, and therefore I don’t take time to explain a lot of the basics. However if you are interested in studying a very interesting case, regardless of your experience with SEO, it might be worth reading it just to get a feel for the topic.
The Unlucky Target
The website that is being targeted belongs to one of my clients and offers workplace training in person or online. For the online training they are, in essence, an affiliate marketer, although they don’t fit the classic affiliate marketer profile. In the first place, they are bona fide experts in the field where they are offering training. They don’t seek opportunities to market just anything, but focus on training they know about and provide in person. The competition in their space is fierce. And a lot of it is spammy, even in this post-Panda, post-Penguin, post-Pirate, post-Payday-loans, post-Pigeon age (Hummigbird doesn’t really evoke a Penalty, so I guess that’s why the name of that update doesn’t start with a P – yet I digress).
This client has been hit several times by Penguin updates. They really did have a spammy back link profile, dating back years and built by a previous owner of the company. As their SEO consultants, hired after the fact, we’ve invested countless hours identifying spammy links, requesting removals, and updating their disavows. At first it was working. At least until October 17th 2014 and the release of Penguin 3.0. Here’s what happened then:
Seeing this site get slammed in October of 2014 was particularly heartbreaking since the client had invested tens of thousands of dollars in trying to comply with Google’s new age of reason. We determined that there must still be a problem in the backlink profile of the site and began taking yet another look at the site.
The Evidence Was Planted With Care, But it Was a Frame Job
If you run a cursory check on Majestic.com for domains linking to this site, you’ll see a lot of suspicious stuff like this:
Notice the referring domains indicated above in the green outline. When we first investigated these domains last year we found that they all had a common trait: they had been virtually abandoned by their owners, and they had been hacked. They also had a common manner of linking to my client’s website, which I describe below when I talk about the “Last Man Standing.”
Of the 5 top offenders shown in the screen shot, as of this writing 4 are effectively off line, taken down by their site owners, but the all time top offender, coopercomputers.com, is still up and running. Let’s take a look at how this game is played.
Last Man Standing
The last online site showing tens of thousands of backlinks to my client’s website is coopercomputers.com. If you go to the site, it looks like your typical abandoned website: broken images, text bragging about having a fax line…this is old stuff. They even offer to create presentations by “VCR Tape.” Exciting back then, now not so much.
Digging Beneath the Surface: Source Code to the Rescue
So I examine the home page for a link to my client’s site, but nothing comes up. Nothing shows in the source code either. But obviously Majestic is picking up on tens of thousands of links, so I do a site: search using Google to see other pages Google might have crawled, and here is what I get:
There’s something here that obviously doesn’t match the profile of a small time computer guy’s website. Let’s pick one of these pages and see what we get. And here’s the top of the page. Oh yeah, this is classy stuff alright:
Again, you won’t find a link to any websites obviously present on this page. For that you’ll have to look at the source code of the page. So do a quick Ctrl+U (on a PC) and we’ll say a dense mass of hidden text, with link after spammy link embedded in it. Note the highlighted portion. Except for obscuring my client’s identity for obvious reasons, you’ll see that I finally have located their link.
This exact method is used to embed links on thousands and thousands of pages residing in their slimy glory on the CooperComputers.com website.
Commercial Link Text That’s Almost Comical
My client has never sold anything that could be monetized by “legoland logo florida,” but doesn’t it sound nicely like commercial anchor text. These links were never created by the owner of the website they are pointed at, nor by any SEO consultant they have ever hired. Additionally, note the href attribute in the html. It points to a page that has never existing and which never would because it’s in the /wp-admin/ folder of the site. This folder is never used for public web pages, and in fact by default it is excluded from the Google index in WordPress installations with a disallow statement in the robots.txt. This would be crazy behavior if it was a legitimate link spammer (did I just combine “legitimate” with “link spammer”? Yikes!)
Here’s a list of the commercial-sounding anchor text this domain has used to point thousands of links to non-existent pages on my client’s site:
- Amber Rose and Kanye West kissing
- Benelli Nova shotguns for sale
- Moshi monsters Katsuma purple
- Countdown girl Rachel Riley
- Flamenco origins
- God of war 3 ps2 download
- Simple basketball court layout
- And more
It’s time to start speculating about why these links exist on ComputerComputers.com by the tens of thousands.
Can it be that the site owner created them on their own? Well, if they did, what would be the motive? None of these links generate revenue. In the case of links pointed at my client’s domain, they point to a non-existent page in a directory that’s not even crawled.
Can it be that my client had a former SEO firm that created these links? If so, what would be the motive of that firm? (Let me add an additional detail: thousands of new links at this domain are being discovered every month by Majestic, so this is not something that only happened in the past, it’s ongoing, and my client doesn’t have any other SEO consultants working for them.)
Can it be a random programming act? Anyone who’s done programming will tell you that this is unreasonable.
What are we left with? Well, notice how the links bear a resemblance to a link spam network. Here are the characteristics:
- Commercial sounding anchor text (as seen from the examples above)
- Extensive repetition of anchor text thousands of times
- Link velocity (rate at which links are created) artificially high and disproportionate to site activity
- Hidden text
- Blocks of links, as if the site were selling links to any and all bidders
So this bears a resemblance to link spam, but at the same time by targeting non-existent pages in the wp-admin directory, perhaps an effort to disguise the links (although I’m a bit fuzzy on how this would disguise the links from site webmasters – and if you have any ideas on this last peace of the puzzle, please tell me in the comments below).
Could it be that someone hacked into a seemingly abandoned site in order to create the appearance of link spam targeted at sites such as my clients? And paid for by their competitors to damage them in search? Does this type of thing really happen? If you want to see a hard example of a company offering to create just such links to destroy company’s, reference this recent blog post on the SEW blog by Marcela de Vivo with a screen capture of just such a solicitation.
Checking for Signs of Malicious Hackers
So let’s look for the smoking gun. I often will run a page through sitecheck.sucuri.net if I suspect that a site has been cracked, and so I ran the home page of CooperComputers.com through Sucuri Guess what! It came back clean (see below).
The thing is, these villains don’t really want to have their work discovered. They know that most people will just check the home page of a site and if it’s clean, they will decide the whole site is clean. Having discovered this, often hackers will leave the home page alone and go for the interior pages. Therefore I decided to run some interior pages of CooperComputers.com through Sucuri. Hot dog, but we have an immediate winner.
The first interior page I ran through Sucuri came back with exactly what I was looking for: signs of a hacker. Sucuri was even good enough to identify it as “SEO Spam.”
Is this harming my clients in search? I think there’s a strong possibility it is. Naturally we have disavowed the whole coopercomputers.com domain, however might it be that Google doesn’t care? Also might it be that Google, in seeing that links are still being created by the hundreds, is willing to disregard the disavow because it seems to be ongoing link spam activity? We might never know the answer because Google keeps its link spam logic in a tightly guarded black box (don’t get me going on the insanity of this).
Apathy Becomes the Main Obstacle to a Clean Up
I have contacted the owner of the website that has been hacked, who seems to be an older gentleman who is convinced that all of my crazy talk of negative SEO (even though I’ve described it like he was 5 years old) is designed to con him out of his last dollar.
The site is hosted by Network Solutions and I’ve reported this whole issue to their abuse@ email as hacked, but good old Network Solutions support, always eager for one less thing to do, ran a Sucuri check on the home page (as I also did, you’ll recall), and told me the site is clean. A clear reply with links and screen captures proving that this is not the case has so far been completely ignored.
If I don’t go completely crazy with this, I will modify this post with updates about our efforts to clean up this site. Let me know in the comments if you’ve seen similar activity and agree with my conclusions. If you disagree with my conclusions, feel free to tell me that as well, although please, keep things civil, shall we?
In the meantime, my client has lost half their business and fallen into red ink. They might have to close their doors as result of this, so take this lesson very, very seriously (Hey, Googlers, is anyone listening??).
I hope by the time you read this we’ve convinced the owner of the site to take it down or clean it up, however even if they do I’ll leave this post in place in case it’s helpful to someone else encountering the same shadowy pattern.