Korean SEO Spam What Is Korean SEO Spam And How Can You Remove IT

Korean SEO Spam: What Is Korean SEO Spam And How Can You Remove It

Last Updated: 24th July, 2022

What Is Korean SEO Spam?

Korean SEO Spam: Spam is a blanket term used for unsolicited emails, adverts, etc., which have no relevance to the end user. Spam is used for a wide variety of internet crimes. Sometimes, it is deployed by hackers to trick innocent users into buying fake products or to click farming. Sometimes, spam is used to pollute the search results of competing sites. Spam usually targets users via lucrative offers like pyramid schemes, multi level marketing, cheap pharma products, etc.

Recently, a large scale Korean SEO spam was revealed. The alarming thing about this spam campaign was the tricks it was using to pollute the search results of legitimate websites. Spammers are getting smarter every day.

Commenting on this, Finn Brunton, the author of the book “Spam: A Shadow History of the Internet” has written that, “The gradual predominance of the algorithm in the project of spamming appears in the filters and the spam created in response to them, in search engines and their manipulators, and, as will be shown, in the grand global project of the botnets.


WordPress Optimization Guide With Cloudflare Integration 2023

Table Of Contents


#HowTo Perform Automated Threat Hunting, Efficiently And Effectively

Revealing The Layers Of Korean SEO Spam

This Korean SEO spam typically targets common CMS files like index.php, functions.php, etc. Inside any of these files, the code can be found hidden in the base64 format. Once decoded, from the base64 format, the spam would again contain another layer of obfuscation as shown in the image.

Revealing The Layers Of Korean SEO Spam


Your IP Address May Be Breaching Your Privacy More Than You Know

As seen in the image, the hackers used the “Signature For Report” comment to misdirect anyone trying to analyze the code. However, upon further decoding, this code reveals the modus operandi of the entire Korean SEO Spam campaign. Which includes:

  1. Fetching Korean spam keywords.
  2. Caching them.
  3. Cloaking to serve different content to different visitors.

Components Of Korean SEO Spam:

Fetching The Contents Of Spam

In order to fetch the contents of this Korean keyword hack the following link was used: hxxp://god.sm79[.]xyz/api.php?g=gitt. Upon visiting this link, it serves some base 64 encoded content as shown in the image below.


Defying Dante’s SOC And SIEMs Mythical Treachery Inferno

Fetching The Contents Of Spam

When decoded it looks something like this. This contains a long list of Korean Keywords and injection types.

Configuration Arrays Of Korean SEO Spam Content

The content fetched from hxxp://god.sm79[.]xyz/api.php?g=gitt contains a large number of arrays. These assist the spammers in creating and spreading a large variety of spam. Some important arrays fetched from the link are:

1. A configuration array for spam rules so that you never run out of spam. It contains around 199 spam rules!

Configuration Arrays Of Korean SEO Spam Content


#Graph Search Tools: Detect Malware Patterns Using Graph Search Engines And High Performance Servers

2. A configuration array of domains used to redirect users.

A configuration array of domains used to redirect users.

3. An array of around 900+ keywords(309 in one array and 608 in other) to be targeted. Some prominent keywords include “call girls for travelers”, “online gambling”, “off-white merchandise” etc.


Five 2021 Cyber-Threats To Watch Out In Cybersecurity Landscape

An array of around 900+ keywords(309 in one array and 608 in other) to be targeted.

Target Localization

This Korean SEO spam campaign targets only the traffic generated from Korea. This can be further explained from the code snippet of the spam given below:

if(strpos(strtolower(@$_SERVER['HTTP_REFERER']), ".kr")
!== false || strpos(strtolower(@$_SERVER['HTTP_ACCEPT_LANGUAGE']),
"ko") !== false){
die('<!DOCTYPE html><html><body><script>document.location=
("'[email protected]($sc_arr[0]).'");


Data Encryption: Key To Avoid Data Privacy Violation Fines

The first line of code checks if the request has originated from a Korean version of search engine i.e. “.kr“. Moreover, the third line of code check if the user has Korean as the default browser language i.e. “ko“. Once, these parameters are satisfied, these requests are then redirected. Also, the spam contents fetch earlier contain an array of Korean cities to customize the spam content for each one of them.

Array for targeting each city

Array for targeting each city.

Old Habits Die Hard

Korean SEO spam bears multiple similarities to the Japanese SEO spam. For instance, Korean SEO spam also creates spammy doorways on many sites around the world. Another similarity is trying to sell cheap pharma products. Just like Japanese SEO spam, this too tries to claim the ownership of compromised sites.


Threat Intelligence Feeds (TI): Keeping Cybersecurity Threats At Bay

Although the spam campaign is similar to Japanese SEO hack, the Korean SEO spam campaign features a new and alarming method of polluting the search results of legitimate and uncompromised websites. One of the configuration array with the contents fetched from “hxxp://god.sm79[.]xyz/api.php?g=gitt” includes a list if around 500 random sites. The URLs of these sites are stored in the following format: http://example.com/?s=[something].

Towards the finish of every URL, the WordPress site requests that a specific query be searched which is “/? s=search-string” query. What the attackers did was to link the random sites to these Korean spam keywords.


NIS Directive: A Year On Network And Information Systems – An Overview

As mentioned before, the sites were uncompromised and therefore they did not return any results for these Korean keywords. However, the not found page did contain the keyword which led to Googlebot ranking the sites for these keywords.

To get a better picture, take a look at the example given below.

A “NOT FOUND” page containing the spam search query.

A NOT FOUND page containing the spam search query


What Is Incident Response (IR) And Why Is It Imperative?

This page return, simply states that the search query was not found. However, this also contains the complete search term with the spam keyword. The page also contains the name of site gmvcs [.] com, which is being promoted during this spam campaign.

A simple Google search of this site can, therefore, reveal millions of indexed pages. Whereas in reality, none of them contains this term. So, this basically pollutes the SERPs of legitimate sites with multiple spam keywords and promoted sites, leading to a negative SEO and a nightmare for their webmasters!



In order to avoid the search result, pollution of your website, insert the following tag to your search result page:

<meta name=”robots” content=”noindex”>


The Divergence Between Intelligence, Data And Information

Another alternative is to disallow indexing using the robots.txt file. Simply create a robots.txt file in the root folder and add the following code:

User-agent: *

Noindex: /

This can be done from other WordPress Plugins as well.


Top 21 Cyber Security Threats And How Threat Intelligence Can Help You

Web Application Firewall (WAF) For Protection

A good Web Application Firewall (WAF), can detect the loopholes in your site, especially the noindex part in the case of Korean SEO spam. Also, having a complete security solution such as Sucuri can protect your website from such future spams.

, , , , , , , , , , , , ,
Previous Post
What Is Search Engine Blacklist By Google, Bing, Yandex, McAfee, Norton
Next Post
Project Soli, Remastered: How Radar-Detected Gestures Might Differ Pixel 4

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

error: Alert: Content selection is disabled!!