
We Got Hacked, Here's What We Found - kurtvarner
http://thenextweb.com/insider/2012/04/05/we-got-hacked-for-seo-as-did-other-major-technology-sites/
======
DanielBMarkham
Wow. SEO hacking. Very scary stuff, and if he hadn't been greedy, sounds like
he would have gotten away with it.

SEO continues to both amaze and frustrate me. The more money that gets traded
hands based on search, the more brutal and intricate the cheaters are going to
become. A lot of the black hat stuff we see now is heavy-handed bullshit, but
something like this, if done very carefully, would both be extremely difficult
to detect and very lucrative. The canonical thing is smart as hell. You could
make that change and, unless site owners specifically went looking for it,
nobody would ever see. I could imagine hackers breaking into dozens or
hundreds of domains and then auctioning off as very small number of SEO links.
This would provide the maximum value for the minimal footprint on the site.
Heck, take it up another notch and rent out the space.

~~~
rwmj
It's very common and very old. Someone did this to a site I ran back in 2005.
He made the mistake of creating a new account using his gmail address and his
gmail password.

I logged back into his gmail account using this information [this was before
the time that Google started to flag logins from unusual IP addresses] and
found out that he was doing this as contract work for several legitimate
companies.

There in the email were messages back and forth between himself and various
marketing managers at those companies about sites he'd attacked and placed
spam links in.

~~~
golden_apples
Have to ask what software you were using, that it was so easy to get his
password from out of his login account. This must have been in the days before
passwords were hashed or something?

~~~
rwmj
Passwords were not hashed in the database, because it made no sense for me (as
the site administrator) to do that. As the site admin it's entirely beneficial
for me (not for you) to see your password.

Of course if you're the sort of _user_ who uses the same password on every
site, then it benefits you a little bit if the site hashes the password. The
site admin or an attacker can still easily steal your password when you log
in, so the benefit is small. But by doing this you're trusting every site,
which is stupid.

Users should use a completely different, randomly generated password for every
site, then whether or not the site hashes the password doesn't matter.

------
InfinityX0
If anyone is interested in the other places their links were placed, you can
see SEOMoz's backlink data -
<http://www.opensiteexplorer.org/links?site=seonix.org>.

~~~
danso
I would've liked to see an exact explanation of how the editor's account was
compromised, because it's important to know whether or not thenextweb and
other sites were compromised through a default-account-setting or because all
of these sites happened to have an account with the same vulnerable password.
Or did the hacker just attempt a brute attack against a huge swath of sites,
and thenextweb and others were just a few that fell to it?

~~~
bradmccarty
His password was simple enough to be brute-forced.

~~~
thenextcorner
or he might have been writing an article in a Starbucks working on an open
wifi. Anybody who has Wireshark installed can go fish for passwords and other
log in credentials in your local Starbucks!

When will people learn that an open Wifi is not secure!

(not claiming this is what actually happened here!)

------
droithomme
Am I right in observing that this would be felony hacking in the US, the sort
of thing that brings prison time? And he did it with links to his own site, so
it's clear his identity as well. That doesn't seem too bright.

~~~
soult
If you follow the trail he left, you will notice that the spammer is from
Eastern Europe. Good luck getting him extradited.

~~~
darklajid
Disclaimer: I consider this act a crime and think the responsible person
should be punished.

That said: Can we please stop this idea of dragging people into other
countries (I guess there's one particularly eager doing so)? As long as we're
not all on the same page about laws around the globe and while we still don't
know what 'hosted in the US' means for a business, for example, I'd rather
prefer sticking to local laws. These apply without a discussion. Laws of
another country by default don't and I'd have a hard time understanding why
this should change (a global nation with one book of law would change my mind
here).

~~~
gwright
This is exactly the problem that is solved by an extradition treaty.

More often than not the alleged crime is a crime in _both_ countries and so
extradition is a reasonable approach to the problem.

I do agree that the Internet has created jurisdiction issues and criminal
issues that aren't well covered by existing law/treaties.

I don't think the local/international dichomtomy you describe is as clear cut
as you are asserting. Whenever you have international commerce you are going
to have all sorts of activities that raise criminal or civil issues that can
only be adjudicated via bi-lateral treaties. These issues exist whether the
commerce is conducted in-person, by phone, by fax, by email, via HTTP, etc.

I think a 'global national with one book of laws' would create way more
problems than it would solve and in any case isn't going to happen anytime
soon.

~~~
DanBC
> _I do agree that the Internet has created jurisdiction issues and criminal
> issues that aren't well covered by existing law/treaties._

A big problem is that the US only needs "reasonable suspicion" when asking to
extradite someone from England. But the UK needs "probable cause" when asking
to extradite someone from the US. That means that in the UK the evidence is
not tested before a Judge agrees to extradition, yet a US Judge tests the
evidence before agreeing the extradition.

Babar Ahmed: (<http://www.bbc.co.uk/news/uk-17606337>)

Babar Ahmed, held for 7 years in a UK prison without a trial, has asked to be
tried in the UK. He ran a website that was (supposedly) pro-terrorist. The
site was hosted in the US. The US wants to extradite him and try him in
America.

This case is interesting because he's not a sympathetic character, yet he
claims all he wants is a trial (in a UK court) and a sentence. And also
because he's not free, he's been in prison for 7 years already, so it's not as
if the UK is an easy option for him.

------
elliottcarlson
And yet a site like this (the site that traffic was being directed to) has
adsense on it without any issues.

~~~
GoodIntentions
I wonder if he'd still have adsense if someone "gifted" him 10k hits from an
adult network + some run of site adult themed links?

Guessing it wouldn't take long, algorithms being what they are.

~~~
dchuk
so your solution is to waste a bunch of legitimate ad spend from a legitimate
advertiser by sending illegitimate traffic and clicks to a hacker's site? What
if the person dropping those links in those hacked sites wasn't actually the
owner of the target site and he did that so someone like you would screw over
all of the innocent parties who happen to involved?

This is a problem Google needs to fix, hackers aren't going anywhere and god
knows teaching them a "lesson" isn't really a good solution most of the time,
black hat morals being what they are.

~~~
GoodIntentions
My tongue-in-cheek idea was to buy him the traffic, not steal it from a legit
campaign - Once G thinks you're a porn destination, I doubt very much you will
index.

You're right, tho no serious solution there. It's more of a poke at a broken
system that automatically ban-hammers good guys with the bad based on signals
that totally miss bad actors like this guy.

Clearly the 'hacker' here has invested enough time to understand the system
better than legitimate sites that have "wasted" their time trying to generate
value for their users.

------
mikepmalai
Based on the "Don't Be Evil: How Google Screwed a Startup" thread, the simple
fix is to just start clicking on all his ads until Google bans his account
lol. No need to extradite anyone.

~~~
Teapot
Do it using TorBrowser. That really angers big G.

------
davedd
We are seeing many of those attacks (via brute force) on WP-bases sites:

[http://blog.sucuri.net/2012/03/brute-force-attacks-
against-w...](http://blog.sucuri.net/2012/03/brute-force-attacks-against-
wordpress-sites.html)

So not a vulnerability in WordPress, just bad password usage...

~~~
Getahobby
Wpscan is an incredibly easy tool to use for both good and bad. It makes it
very easy to brute force logins.

------
comex
This website overloads the left and right keys to move between articles, never
mind that if the page is wider than the browser window you might want to
scroll with the keyboard. Ew.

------
xSwag
Hmm, however unlikely, it seems that the hacker is aware of a 0-day in
wordpress. Almost all of the websites compromised were using WordPress. Weird.

------
eneveu
Is there some way of reporting the spammer to get his website de-indexed from
Google?

------
mikerice
were they hacked or was a user account just compromised?

~~~
johncoltrane
They were hacked because the "hacker" managed to modify the content of the web
site. Using a compromised account to get into the machine.

