To Catch a Spammer: Uncovering Negative SEO
The author's views are entirely their own (excluding the unlikely event of hypnosis) and may not always reflect the views of Moz.
Google recently updated its claims regarding the ability of other webmasters to affect your rankings via negative SEO. While questions about the efficacy of negative SEO continue to exist, it does not seem to be slowing down the growth of what is arguably the most contemptible part of the search industry.
On July 9th, a good friend of mine reached out to me with a problem. As a very risk-averse webmaster, he constantly plunges into the numbers, especially anchor text diversity, in order to make sure his site is as penalty-proof as possible. The latest updated data in SEOmoz's MozScape revealed a massive shift towards anchor text over optimization for several primary terms. It took only a few minutes to identify the culprit.
Diagnosing the Damage
The first step was to dig down into all the link data to identify just how deep the damage was. We downloaded all the links available on SEOmoz, MajesticSEO and AHrefs to make sure that we had every possible outlet covered. It didn't look good. On a primary keyword, the number of unique linking domains with exact anchor text went up 20x in a matter of two days. Below is an example of one of the spam posts.
Now the leg work began of identifying as many negative links as possible. But this is when it got interesting. We were able to quickly identify that there were several sites involved in the attack.
Wait, what? Did you just read what I read? Distilled, the venerable white-hat SEO company was being attacked along side several bingo sites and an insurance liability website. This was too interesting to give up. At that point, I knew my day was shot.
Footprints, Footprints, Footprints
Let me go ahead and get this out - if you are thinking about doing negative SEO and are not a regular practitioner of black hat SEO, you are going to get caught. Sorry, but you just haven't thought it through enough to cover your tracks. What follows is a perfect example of that.
After digging through several of the XRumer spammed backlinks, most hitting up old .cgi guestbooks and bulletin boards, I noticed a handful of sitewide links coming from poor quality blogs. My first instinct was that these were from hacked sites.
But something was different about these. Normally hackers hide their links in the posts with display:none tags so that the webmasters never actually see the bad links. It is a very effective strategy, but in this case they were fully exposed. So I checked another site that seemed to follow the same pattern.
In this example, the links were included in a post. It is very strange for a "hack" to follow such different patterns, sometimes dropping links sitewide and other times just in posts. So, it was time to investigate these anomalies. Off to one of my favorite sites, DomainTools.
For some reason, people still think that private registration is enough to cover all your tracks. Sure, it helps if you register a new domain and establish private registration at the point of acquiring the domain, but if at any point in your history you had accurate domain registration data, we can get to it. Anyone can. Using the DomainTools Registration History, we were able to track down the original registrant email address to [email protected]
A Quick Note on Outing
As you have no doubt noticed so far in this post, I am not going to out the perps. We know the motive, and we know the likely perpetrator, but I can't prove that the parent company knew of the actions, nor even that the SEOs responsible for their accounts were aware of the actions taken on their behalf. I will not allow myself to be responsible for the downfall of a company that may have merely been ignorant rather than malicious, and I certainly won't open myself up to false flag attacks. That being said, the likely culprits are members of this community, and I believe they have much to lose if they continue in their ways. I can't prevent you all from connecting the dots, but I won't paint the picture myself.
So, back to the Investigation.
Now that we had a domain, we had a strong position from which to catapult our investigation. We quickly turned the domain into a twitter account, a twitter account into a link building company out of India. Aside from Distilled, a seemingly random business liability website was lumped into the attack. We were able to determine that the likely culprit owned a site which competes directly with this business liability insurance site. But we were stuck, until my good friend came through and did a quick analysis of the perpetrator's follow list on Twitter.
After a cursory look, he was able to identify a stinging indictment. Of the 41 individuals the likely culprit was following on Twitter, two worked for a direct competitor of the targeted bingo sites, one of which was the CEO of the company and the other the head of Web Marketing. He also followed Distilled, perhaps waiting to see how they responded when the attack was revealed.
This isn't quite the smoking gun yet, though, because the connection is not reciprocal. It is a strong indication, but not a nail in the coffin so to speak. But, alas, twitter is only one social media site. After digging deeper and deeper, we were able to find direct conversations of a personal, non-business, nature between the head of Web Marketing for the competitor sites and the likely culprit on Google+.
Of course, this still only shows a link. But, as if the icing on the cake couldn't get any thicker, here is a nice comment the Director of Web Marketing left on a post about negative SEO just a few weeks ago. As you notice, he is contemplating Google's updated statement that negative SEO is possible. Seriously, could you make this any easier?
So, what exactly does the evidence tell us...
- A negative SEO attack was launched between May 20th and May 22nd of 2012 against several bingo sites, Distilled, and a business liability insurance site.
- The attack was likely created by an individual from India who owns a link building company.
- We know that who ever performed the attack had direct access to websites owned by the individual from India.
- That individual has direct connections with the CEO and Director of Web Marketing for a bingo website company.
- The Director of Web Marketing has reciprocated communication on social media sites with the individual likely responsible for the attack.
- The Director of Web Marketing responded with curiosity to Google's updated notation on negative SEO.
What do we not know?
- We don't know, for certain, that either the CEO or Director of Web Marketing requested these actions be taken.
- We don't know, for certain, that the individual who owns the link building company was directly responsible.
- Why did they target Distilled in the campaign? Did they assume Distilled was an SEO of record for one of their competitors?
The Aftermath
If you are a victim of negative SEO, there are a handful of steps you simply have to tag to prevent potential damage to your site.
- Download a complete list of links pointing to your site from Open Site Explorer.
- Mark any links in this list that came from the negative SEO attack.
- Submit these as a preemptive reconsideration request or via the feedback channel in Google Webmaster Tools.
- Use the Bing Webmaster Tools Disavow Tool immediately.
- Finally, if necessary, begin removing the bad links wherever possible. There are several tools to help out with this, including Virante's Remove 'Em, rMoov, or Richard Baxter's Excel Tool.
The Good News
At least at the moment, it appears that the negative SEO attack has been as effective as their ability to cover it up. For the time being, none of the sites appear to have been dramatically impacted by the campaign. However, with looming updates to Penguin, there is no telling. The best bet for any SEO is to stay on top of their backlinks, watching closely to make sure nothing nefarious makes its way into your profile.
Editor's Note
After the author wrote this post, Google announced a way to download your most recent links in Google Webmaster Tools that could prove very useful in this situation.
Comments
Please keep your comments TAGFEE by following the community etiquette
Comments are closed. Got a burning question? Head to our Q&A section to start a new conversation.