UPDATE 4.7.08: Looks like ZDnet was hacked as well (although they’ve since cleaned up)

So in some innocent conversation earlier today with Allen Stern, he noticed that Tailrank was getting hammered with spam, via Tailrank’s River — something Duncan Riley also noticed. To be honest, I’ve noticed it as well, noting snarkily that perhaps it wasn’t so much that Tailrank was getting hammered, as much as Tailrank’s algorithm was getting fooled, as it looks to grab content by skimming the content of feeds. That is, perhaps Tailrank was grabbing rotten spammy content.

Or … was it?

I had a closer look at many of the blogs concerned that had spammy content — pages promoting credit cards, pharmaceuticals and the like, and I realized that if you go to the root domain they are all legitimate blogs. Not scraper blogs that were being auto-generated with adsense / affiliate links, which was extremely curious, and actually reminiscient of something that hit home a few months ago.

A few months ago, this blog got hacked — but in a sneaky way. Not only did the hackers insert “invisible” code into my template, so that I was getting listed in Google for all manner of sneaky (and NSFW terms), so that people could click on those links with the hacker getting the affiliate cash — but *actually*, said hackers also inserted fake tempates into my wordpress theme.

I didn’t notice, because Dreamhost automatically installed a ton of themes, and so they were buried in there, but I only noticed when I started looking at my analytics and really odd pages started getting hits. Randomly.

I never got around to blogging about it before because it was all too strange, but with Tailrank, its clear that I’m not the only one that was buggered — its happening to a TON of blogs, and people don’t even know about it.

There seems to be two kinds of hackery going on, just like I’ve described:

1. Inserting “invisible” HTML full of links (for NSFW sites) into your WP template that isn’t obvious when you go to your blog, but is VERY obvious when you look at the source code (and start seeing that you’re getting traffic for some “peculiar” terms).

2. Inserting whole new source code / new sneaky themes that copy other blogs / content *exactly*, which is full of spammy content and affiliate links.

Why are there two? Why would you have any pages with nothing obvious to the reader?

Read on, because this is where it gets really nefarious.

First here are some examples.

• http://www.helmethairblog.com: Blogs about motorbikes. Has a ton of invisible code inserted into the WP theme right in his header. Check out the source code or try this file (I saved it): helmethairblog-source Note how all of the adsense if for *credit cards* (and not on motorbicycles)
  
• http://www.andysummers.com: A professional site for a guitarist named Andy Summers. Inside the press directory you can find at least six directories that contain pages for pharmacy, credit cards, and loans. Here is one of those pages.
• http://blog.jimnovo.com: the marketing and productivity blog for Jim Novo, who has a book called Drilling Down. This is probably one of the sneakiest (yet to be verified personally from Mr. Novo however) — the blog is running on WordPress, however, it looks like someone has sneaked in some extra php code, under a separate file called news.php. Given a particular value for the variable “blog”, it serves up different pages. For example, serving up “credit”, serves up this page which is ranking very well for Mr. Novo (accidentally of course).

The devious thing? The entire site is ripped off from CreditHit.com, and its a little unclear if this is therefore something perpetrated *by* CreditHit (because links are tracked and go back to them), or an affiliate *of* CreditHit (which would be strange, as the site is an affiliate portal for credit cards).

At any rate, if the number of blogs on TailRank are any judge (through the Tailrank River –> tailrank.com/river), there are a HUGE number of blogs / sites that are hacked and don’t even know it.

http://www.internmentcamp.com –> silent HTML spam
http://www.vinokeeno.com/ –> silent HTML spam
http://www.alexharford.com/ –> silent HTML spam
http://www.gossiportruth.com –> silent HTML spam
http://amandabanana.net/ –> silent HTML spam
http://license2code.com–> silent HTML spam
http://selfportraitchallenge.net/–> silent HTML spam
http://www.firstcrackpodcast.com/–> silent HTML spam

So, let’s get back to the two kinds of spam. Why is there all of this content that is “invisible” (and even selected out to be invisible by some CSS?)

The *REAL* Devious thing, and the heart of the matter, is that the pages full of *silent* spam are tracking back to a few particular sites, such as the jimnovo.com site and the andysummers site. The reason why? One need only look at the TailRank.com/River site to know why, as Jimnovo.com’s blog is headlining almost every node.

The other blog that many of those blogs link to is Interaccess.org, which is a site for a not-for-profit organization that focuses on art and technology. Its blog is here, called Axon, Interaccess.org/blog. But of course, the money is in the pages that have been sneaked in, like this one: http://interaccess.org/blog/?drug=4/pill-377-tramadol.html

What does this really all mean?

It means that these silent pages are a blackhat SEO tactic to *promote* a few select blogs / sites that have been hacked with prominent affiliate / spam links and spam content, thereby bumping up their relative standing on Google.

That’s right.

Some enterprising hackers have put together a scheme whereby they hack a number of blogs, so that they can create their own network pages and links back to a few select blogs, to pages that are not easily visible. It takes advantage of the organic and real page rank of all of the sites in question, and probably makes some bucks for the hacker involved.

Why is this bad for *you*?

Other than the knowledge that someone is profiting off of your back, what can happen is that if you’re running Adsense, Google might notice all the hidden text and penalize you and pull you right out of the Index.

De-indexed. It happened to me, and the above, in retrospect, is the very reason for it.

So, at this moment you might be wondering — what can I do to protect myself? How can *you* tell if your blog has been hacked?

Here are three ways (pray it doesn’t get to the three).

1. You start getting traffic from google for terms you never write about (say, credit cards)

2. If you use Adsense, you start seeing ads on your blog for stuff that in no way matches your content (credit cards for example)

3. If you get banned from Adsense for promoting content in a sneaky way.

My suggestion is that if you find yourself in this position, comb through your templates carefully to find the hidden HTML and delete it.

THEN, go through your blog / site directory with FTP, turn ON the “look for hidden things” and start hunting for any potential directories that look suspicious — i.e. you didn’t put them there.

Bottom Line: This all happened to DJI a few months ago, both as a “host” site for the affiliate / spam content (I’ve since deleted the fake WP theme) and a site that hosted silent / invisible links, but I didn’t have the wherewithal to figure it out.

I’m not a security expert, so I can’t tell you if the security breach is through WordPress (perhaps an older version) or higher up — on a wholescale level through hosting providers.

But irrespective of where the leak is, I think this should be a bit of a wake up call to everyone. Look real carefully to see if your blog has been compromised — because you in fact, may be the stooge for someone else’s nefariously devious Blackhat tactics.

ADDENDUM: oh … and Tailrank should also get its act together and realize what kind of content they’re promoting. They exposed this large scale hackery, but did so unintentionally. :P

Update: Looks like JimNovo.com *was* hacked … he removed the offending piece of code, and so you won’t be able to see the changes. Interaccess.org was also fixed as well.