Hacker News new | comments | ask | show | jobs | submit login
60% of .edu websites are hacked by turkish "hackers"
70 points by zeynalov on Nov 26, 2011 | hide | past | web | favorite | 35 comments
I started to look for backlinks of some turkish websites, and discovered that most of pirate turkish movie websites have backlinks from .edu, .gov, websites from US. After looking for those links, I saw that the websites are somehow hacked and with css display:none command are links hidden. Then I started to look every source code of .edu websites and saw that 50-60% of them have hidden backlinks to several websites from Turkey, India etc. For example, just look to the end of source code of http://www.webb-institute.edu and then look to backlinks of - for example www.bolumizleyin.com. I wrote to website owners and Google, but no responce. Please Matt Cutt, if your read this do something about those hacklinks.

Blackhat spammers will do almost anything to earn money, including illegal stuff like hacking tons of websites. Google is able to detect and disregard the vast majority of hacked links; you're looking at raw links but you don't see which of those links we trust and how much weight we give them.

We try to go a little further and warn many websites that they've been hacked, but there's definitely a lot of unpatched web servers out there, as you could guess from http://news.ycombinator.com/item?id=3277514 a few hours ago.

Matt, I searched and find out that people have already in 2010 reported about this type of spams. They gave the list of them, but most of them are even not penalized.

(topics are in turkish)

1. here - bit.ly/obNDQ9 2. here - bit.ly/sO3ZZP 3. here - http://bit.ly/tNCAff

In 3. topic, a hacker - Clair De Lune from Turkey says that he has the list of passwords of .edu websites and he mentions that it's not illegal because the links are hidden and website owners believe him.

Over a 2-3 year period I have observed (by dint of having a frequently outranked legitimate site) probably in excess of a hundred websites run by counterfeiters (of brand name products) reach top positions for a small set of related and highly competitive terms only using overt blackhat techniques like blog comment spam, injection of links into compromised joomla, wordpress, & image hosting scripts, negative margins on divs and marquees - even white text on white backgrounds (like it was 1997).

The sites are removed when either law enforcement agencies or the rights owner take action (for example page 1 of the results for one term is,right now, showing 12 DCMA complaint notices, and have been a couple of fairly large scale operations by UK police to get domains taken down when there is proof of criminal acitivity).

If it were a handful or even a score, then I'd believe that "Google is able to detect and disregard the vast majority of hacked links". However, my personal experience suggests that whatever is left after this "vast majority" still constitutes an awful lot of links.

Of course, I am not arguing that Google is not able to detect a meaningful percentage of hacked links, and indeed I have direct experience of this.

My own site was compromised a few years back, i.e. hacked to serve a bunch of links to the usual suspects - porn, drugs and Australian footwear (using a particularly nasty script that inserted the links only when the visitor was Googlebot otherwise it just returned an empty div - 100% my fault for being tardy in my patching schedule as it was using a widely available cms script) and this led to my site (as the 'victim' site) dropping dramatically in rank, only to recover once I had cleaned up the mess, patched the exploit and completed a re-inclusion request.

However, that so many sites using basic link spam approaches were able to rank so highly for such a sustained period suggests that the current capabilities are far from perfect - right now I can see a site in position 2 that only uses blog spam, is fairly new and is selling illegal counterfeit products. It simply should not be there (outranking the brand website), nor should the other 5 similar sites also on page 1.

Anyway, I obviously appreciate that Google faces an insanely difficult task in dealing with web spam, and the situation I refer to above is (despite the current spate) a lot better than it was 2 years ago, when it was crazily out of hand. Nevertheless, tens if not hundreds of millions of pounds have been lost by consumers to these sites in the same period (most of whom have such a high level of trust in Google as a brand that they rightly believe that anything showing up on page 1 is likely to be legit).

Here's the problem... Turkey has a lot of underutilized developer talent. There's tremendous potential there, but most of it ends up in Germany or France. It also ends up in underhanded schemes.

For those that stay, the IT culture seems rather conservative and moving jobs is culturally difficult. The talent is there (like it is in Russia) but they are a long way off from being an innovation capitol.

what challenges are in their way for making good products within their own market? What challenges exist to work as outsourced development teams? After reading this I would think twice about hiring someone from turkey.

First and foremost, I should say I'm partnered to a Turk and have spent a few months there; I am not a specialist. While there, I did talk to a few people about the IT climate. So take what I say with a grain of salt.

First and foremost, Turkey is a country of 80 million people. There is a significant amount of variety from person to person, but the tax codes and business rules are not IT friendly relative to other businesses. There is still a non-trivial tariff on computers and electronics, making supplies more expensive than in other countries. From what I vaguely understand it is easier for other companies to evade taxes than IT services, all of which increases the cost of business and makes outsourcing less economical compared to other Eastern European nations. (AKP, the ruling party, is thought of as business-friendly, but I haven't seen any work to really tackle their tax issues.)

Second, Turkey's government is censorship-happy. Nothing like hacker news or reddit would work there, much less something like yelp. (every comment would have to be read, lest someone gets trialed for "insulting Turkishness."

Finally, they don't have a great way for capitalization of projects. Also, the people with money seem risk-averse to new ideas.

Turks themselves are very entrepreneurial, and the few of them that I've known who were developers are generally rather sharp. I wouldn't try to outsource there, however, at this point in time. (Unless I end up there for a few years with a bit of cash and can poke at loopholes. Then, watch out for my new product! :)

Your observations are pretty accurate.

I'd like to add that something similar to Urban Dictionary has existed for a very long time now (10+ years): eksizosluk.com. They had their fair share of trouble with litigation but mostly managed to protect free speech. In fact it is so successful that it spawned many clones, which themselves became very popular websites.

Content is the main bottleneck. Something like UD exists because it generates its own content, whereas HN or Reddit clones don't exist because there isn't enough Turkish material on the web. A good part of population doesn't understand English, and the ones who do, choose to assimilate in the more interesting English space (ahem).

what does that have to do with op? every country has its own script kiddies.

Nigeria (which I didn't mention), Turkey and Russia have a disproportionate number.

That's wild. I guess since it's not exactly malicious hacking, the site owners never realize it. I know plenty of .edu websites that are terribly coded in terms of security. It's good that you reported it. Hopefully Matt sees this.

Interesting find! About Google, I'm pretty sure they have methods to detect hidden content that simply exists as SEO spam.

ROFL. They're not quite there unfortunately. Try a google query like:

site:mit.edu viagra

And get surprised at how the MIT is selling viagra :p

Actually that is something different and a little more evil: They hacked the mit page to check (server side) if the referer is a google search results page for the word "viagra"; if it is then goes to the viagra page, if it is not goes to the real MIT website.

I also thought about this, but those sites with hacklinks have first places on Google SERPs.

I have a site using modx.com's latest version that is continually hit with these "display:none" links. I've changed all passwords about a dozen times with no luck. Anyone have any thoughts on how to prevent this hack from continually happening?

50-60%? really?

I randomly selected .edu websites from all over the web, including edu.az, edu.com.tr etc. 62 of 100 had those hacklinks.

In that case, the headline and summary are very misleading. The summary says "edu, .gov, websites from US" but you say the sampling includes Turkish/Azerbaijani academic websites. I don't think I'm the only person who would read ".edu" and assumes that it _unambiguously_ means US academic sites. If you can provide a full list of your sample, that would be useful to put some detail into this statistic.

most of them are american educational websites, but there are also some from Portugal, Turkey, Azerbaijan, China etc. which are very authoritative high pr websites. I'm going to write a blog post with a full list of websites.

Interesting. It'd be great if you could write this up as a blog post, explaining your motivation and methodology while giving examples of what's happening.

Good find.

If you want to expand the search, NCES might be a good way to collect additional sites to try: http://nces.ed.gov/collegenavigator/

Do you have any hypotheses about a common vector for the hack? In addition to run-of-the-mill vectors, there's also the possibility that educational middleware (online class management a la Sungard, Blackboard, PeopleSoft) is vulnerable -- this is pure speculation, of course, but as someone who worked with dozens of those portals it piques my curiosity.

I couldn't figure out yet. I'm chatting one of those hackers right now per email. He says he can sell me all the list of passwords of .gov .edu website from which country I want, and he can teach me how to hack the rest of them. Mind-blowing.

How did you locate this hacker?

I just contacted him through the Contact page of his website. He replied. I am not sure if he's a real hacker but he's the owner of bolumizleyin.com which has plenty of backlinks from several .edu websites.

@diamondhead It seems I can't reply to messages past a certain depth so I'll respond to your latest comment in the previous one. I am from Germany. I wrote you on twitter.

zeynalov, please report him to a police department or a related department in Turkey. if you don't know how to do it, I can help you on this as a Turkish citizen.

Probably by looking at the whois of the domains being linked to?

Just by contacting them directly from their website.

It would be fascinating to see results from a selection of big well known universities in US, EU, etc.

let's share those urls you're talking about.

Just checked and the university I work for has a few spam links.

I figure the hundreds of independently maintained public facing servers make universities particularly vulnerable.

about 18 months ago you use to see a lot of craigslist ads for access to edu sites..

18 months later no ads whatsoever..so it must have all been outsourced to places like Turkey etc..

Turkey shows its aggressive nature in every way..

I heard chicken is dangerous too.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact