Korean SEO Spam What Is Korean SEO Spam And How Can You Remove IT

Korean SEO Spam: What Is Korean SEO Spam And How Can You Remove It

Last Updated: 24th July, 2022

What Is Korean SEO Spam?

Korean SEO Spam: Spam is a blanket term used for unsolicited emails, adverts, etc., which have no relevance to the end user. Spam is used for a wide variety of internet crimes. Sometimes, it is deployed by hackers to trick innocent users into buying fake products or to click farming. Sometimes, spam is used to pollute the search results of competing sites. Spam usually targets users via lucrative offers like pyramid schemes, multi level marketing, cheap pharma products, etc.

Recently, a large scale Korean SEO spam was revealed. The alarming thing about this spam campaign was the tricks it was using to pollute the search results of legitimate websites. Spammers are getting smarter every day.

Commenting on this, Finn Brunton, the author of the book “Spam: A Shadow History of the Internet” has written that, “The gradual predominance of the algorithm in the project of spamming appears in the filters and the spam created in response to them, in search engines and their manipulators, and, as will be shown, in the grand global project of the botnets.


Kerala Police Recruits Humanoid Robot As Sub-Inspector On Front Desk Management

Table Of Contents


Enable Single Sign-On (SSO): Software As A Service (SaaS) Pricing Weakens Client Security

Revealing The Layers Of Korean SEO Spam

This Korean SEO spam typically targets common CMS files like index.php, functions.php, etc. Inside any of these files, the code can be found hidden in the base64 format. Once decoded, from the base64 format, the spam would again contain another layer of obfuscation as shown in the image.

Revealing The Layers Of Korean SEO Spam


How Secure Are Smart Cities In Real, While Balancing Privacy With Innovation?

As seen in the image, the hackers used the “Signature For Report” comment to misdirect anyone trying to analyze the code. However, upon further decoding, this code reveals the modus operandi of the entire Korean SEO Spam campaign. Which includes:

  1. Fetching Korean spam keywords.
  2. Caching them.
  3. Cloaking to serve different content to different visitors.

Components Of Korean SEO Spam:

Fetching The Contents Of Spam

In order to fetch the contents of this Korean keyword hack the following link was used: hxxp://god.sm79[.]xyz/api.php?g=gitt. Upon visiting this link, it serves some base 64 encoded content as shown in the image below.


Quantum For Critical Infrastructure: Facts And Truths

Fetching The Contents Of Spam

When decoded it looks something like this. This contains a long list of Korean Keywords and injection types.

Configuration Arrays Of Korean SEO Spam Content

The content fetched from hxxp://god.sm79[.]xyz/api.php?g=gitt contains a large number of arrays. These assist the spammers in creating and spreading a large variety of spam. Some important arrays fetched from the link are:

1. A configuration array for spam rules so that you never run out of spam. It contains around 199 spam rules!

Configuration Arrays Of Korean SEO Spam Content


Internet of Things (IoT): Everything You Need To Know About IoT

2. A configuration array of domains used to redirect users.

A configuration array of domains used to redirect users.

3. An array of around 900+ keywords(309 in one array and 608 in other) to be targeted. Some prominent keywords include “call girls for travelers”, “online gambling”, “off-white merchandise” etc.


What Is Sircam Virus And How Its Legacy Began?

An array of around 900+ keywords(309 in one array and 608 in other) to be targeted.

Target Localization

This Korean SEO spam campaign targets only the traffic generated from Korea. This can be further explained from the code snippet of the spam given below:

if(strpos(strtolower(@$_SERVER['HTTP_REFERER']), ".kr")
!== false || strpos(strtolower(@$_SERVER['HTTP_ACCEPT_LANGUAGE']),
"ko") !== false){
die('<!DOCTYPE html><html><body><script>document.location=
("'[email protected]($sc_arr[0]).'");


Revamping Your Security Information And Event Management (SIEM)

The first line of code checks if the request has originated from a Korean version of search engine i.e. “.kr“. Moreover, the third line of code check if the user has Korean as the default browser language i.e. “ko“. Once, these parameters are satisfied, these requests are then redirected. Also, the spam contents fetch earlier contain an array of Korean cities to customize the spam content for each one of them.

Array for targeting each city

Array for targeting each city.

Old Habits Die Hard

Korean SEO spam bears multiple similarities to the Japanese SEO spam. For instance, Korean SEO spam also creates spammy doorways on many sites around the world. Another similarity is trying to sell cheap pharma products. Just like Japanese SEO spam, this too tries to claim the ownership of compromised sites.


Advanced Contact Form 7 DB WordPress Plugin Vulnerable To SQLi Injection Detected

Although the spam campaign is similar to Japanese SEO hack, the Korean SEO spam campaign features a new and alarming method of polluting the search results of legitimate and uncompromised websites. One of the configuration array with the contents fetched from “hxxp://god.sm79[.]xyz/api.php?g=gitt” includes a list if around 500 random sites. The URLs of these sites are stored in the following format: http://example.com/?s=[something].

Towards the finish of every URL, the WordPress site requests that a specific query be searched which is “/? s=search-string” query. What the attackers did was to link the random sites to these Korean spam keywords.


Zelle Banking App: New Door Opens, So As Cyber Crime Walks In

As mentioned before, the sites were uncompromised and therefore they did not return any results for these Korean keywords. However, the not found page did contain the keyword which led to Googlebot ranking the sites for these keywords.

To get a better picture, take a look at the example given below.

A “NOT FOUND” page containing the spam search query.

A NOT FOUND page containing the spam search query


HP And ExpressVPN Partnership To Engineer Better Online Security

This page return, simply states that the search query was not found. However, this also contains the complete search term with the spam keyword. The page also contains the name of site gmvcs [.] com, which is being promoted during this spam campaign.

A simple Google search of this site can, therefore, reveal millions of indexed pages. Whereas in reality, none of them contains this term. So, this basically pollutes the SERPs of legitimate sites with multiple spam keywords and promoted sites, leading to a negative SEO and a nightmare for their webmasters!



In order to avoid the search result, pollution of your website, insert the following tag to your search result page:

<meta name=”robots” content=”noindex”>


Security Assessments: Importance Of Choosing The Right Cloud Service Providers

Another alternative is to disallow indexing using the robots.txt file. Simply create a robots.txt file in the root folder and add the following code:

User-agent: *

Noindex: /

This can be done from other WordPress Plugins as well.


CCI Inquiry Accused That Google Misemployed Android To Block Its Rivals

Web Application Firewall (WAF) For Protection

A good Web Application Firewall (WAF), can detect the loopholes in your site, especially the noindex part in the case of Korean SEO spam. Also, having a complete security solution such as Sucuri can protect your website from such future spams.

, , , , , , , , , , , , ,
Previous Post
What Is Search Engine Blacklist By Google, Bing, Yandex, McAfee, Norton
Next Post
Project Soli, Remastered: How Radar-Detected Gestures Might Differ Pixel 4

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed