Last Updated: 24th July, 2022
What Is Korean SEO Spam?
Korean SEO Spam: Spam is a blanket term used for unsolicited emails, adverts, etc., which have no relevance to the end user. Spam is used for a wide variety of internet crimes. Sometimes, it is deployed by hackers to trick innocent users into buying fake products or to click farming. Sometimes, spam is used to pollute the search results of competing sites. Spam usually targets users via lucrative offers like pyramid schemes, multi level marketing, cheap pharma products, etc.
Recently, a large scale Korean SEO spam was revealed. The alarming thing about this spam campaign was the tricks it was using to pollute the search results of legitimate websites. Spammers are getting smarter every day.
Commenting on this, Finn Brunton, the author of the book “Spam: A Shadow History of the Internet” has written that, “The gradual predominance of the algorithm in the project of spamming appears in the filters and the spam created in response to them, in search engines and their manipulators, and, as will be shown, in the grand global project of the botnets.”
Table Of Contents
Revealing The Layers Of Korean SEO Spam
This Korean SEO spam typically targets common CMS files like index.php, functions.php, etc. Inside any of these files, the code can be found hidden in the base64 format. Once decoded, from the base64 format, the spam would again contain another layer of obfuscation as shown in the image.
As seen in the image, the hackers used the “Signature For Report” comment to misdirect anyone trying to analyze the code. However, upon further decoding, this code reveals the modus operandi of the entire Korean SEO Spam campaign. Which includes:
- Fetching Korean spam keywords.
- Caching them.
- Cloaking to serve different content to different visitors.
Components Of Korean SEO Spam:
Fetching The Contents Of Spam
In order to fetch the contents of this Korean keyword hack the following link was used: hxxp://god.sm79[.]xyz/api.php?g=gitt. Upon visiting this link, it serves some base 64 encoded content as shown in the image below.
When decoded it looks something like this. This contains a long list of Korean Keywords and injection types.
Configuration Arrays Of Korean SEO Spam Content
The content fetched from hxxp://god.sm79[.]xyz/api.php?g=gitt contains a large number of arrays. These assist the spammers in creating and spreading a large variety of spam. Some important arrays fetched from the link are:
1. A configuration array for spam rules so that you never run out of spam. It contains around 199 spam rules!
2. A configuration array of domains used to redirect users.
3. An array of around 900+ keywords(309 in one array and 608 in other) to be targeted. Some prominent keywords include “call girls for travelers”, “online gambling”, “off-white merchandise” etc.
Target Localization
This Korean SEO spam campaign targets only the traffic generated from Korea. This can be further explained from the code snippet of the spam given below:
if(strpos(strtolower(@$_SERVER['HTTP_REFERER']), ".kr")
!== false || strpos(strtolower(@$_SERVER['HTTP_ACCEPT_LANGUAGE']),
"ko") !== false){
…
die('<!DOCTYPE html><html><body><script>document.location=
("'[email protected]($sc_arr[0]).'");
</script></body></html>');
}
The first line of code checks if the request has originated from a Korean version of search engine i.e. “.kr“. Moreover, the third line of code check if the user has Korean as the default browser language i.e. “ko“. Once, these parameters are satisfied, these requests are then redirected. Also, the spam contents fetch earlier contain an array of Korean cities to customize the spam content for each one of them.
Array for targeting each city
Old Habits Die Hard
Korean SEO spam bears multiple similarities to the Japanese SEO spam. For instance, Korean SEO spam also creates spammy doorways on many sites around the world. Another similarity is trying to sell cheap pharma products. Just like Japanese SEO spam, this too tries to claim the ownership of compromised sites.
Although the spam campaign is similar to Japanese SEO hack, the Korean SEO spam campaign features a new and alarming method of polluting the search results of legitimate and uncompromised websites. One of the configuration array with the contents fetched from “hxxp://god.sm79[.]xyz/api.php?g=gitt” includes a list if around 500 random sites. The URLs of these sites are stored in the following format: http://example.com/?s=[something].
Towards the finish of every URL, the WordPress site requests that a specific query be searched which is “/? s=search-string” query. What the attackers did was to link the random sites to these Korean spam keywords.
As mentioned before, the sites were uncompromised and therefore they did not return any results for these Korean keywords. However, the not found page did contain the keyword which led to Googlebot ranking the sites for these keywords.
To get a better picture, take a look at the example given below.
A “NOT FOUND” page containing the spam search query.
This page return, simply states that the search query was not found. However, this also contains the complete search term with the spam keyword. The page also contains the name of site gmvcs [.] com, which is being promoted during this spam campaign.
A simple Google search of this site can, therefore, reveal millions of indexed pages. Whereas in reality, none of them contains this term. So, this basically pollutes the SERPs of legitimate sites with multiple spam keywords and promoted sites, leading to a negative SEO and a nightmare for their webmasters!
Mitigation
NoIndex
In order to avoid the search result, pollution of your website, insert the following tag to your search result page:
<meta name=”robots” content=”noindex”>
Another alternative is to disallow indexing using the robots.txt file. Simply create a robots.txt file in the root folder and add the following code:
User-agent: *
Noindex: /
This can be done from other WordPress Plugins as well.
Web Application Firewall (WAF) For Protection
A good Web Application Firewall (WAF), can detect the loopholes in your site, especially the noindex part in the case of Korean SEO spam. Also, having a complete security solution such as Sucuri can protect your website from such future spams.
