Korean SEO Spam What Is Korean SEO Spam And How Can You Remove IT

Korean SEO Spam: What Is Korean SEO Spam And How Can You Remove It

Updated On:

What Is Korean SEO Spam?

Korean SEO Spam: Spam is a blanket term used for unsolicited emails, adverts, etc., which have no relevance to the end user. Spam is used for a wide variety of internet crimes. Sometimes, it is deployed by hackers to trick innocent users into buying fake products or to click farming. Sometimes, spam is used to pollute the search results of competing sites. Spam usually targets users via lucrative offers like pyramid schemes, multi level marketing, cheap pharma products, etc.

Recently, a large scale Korean SEO spam was revealed. The alarming thing about this spam campaign was the tricks it was using to pollute the search results of legitimate websites. Spammers are getting smarter every day.

Commenting on this, Finn Brunton, the author of the book “Spam: A Shadow History of the Internet” has written that, “The gradual predominance of the algorithm in the project of spamming appears in the filters and the spam created in response to them, in search engines and their manipulators, and, as will be shown, in the grand global project of the botnets.

new_releases

Mitigate Security Risk: Technical Controls To Tranquilize Cyber Threats

Table Of Contents

new_releases

What Is MITRE ATT&CK? Why Should You Pay Attention For Cybersecurity

Revealing The Layers Of Korean SEO Spam

This Korean SEO spam typically targets common CMS files like index.php, functions.php, etc. Inside any of these files, the code can be found hidden in the base64 format. Once decoded, from the base64 format, the spam would again contain another layer of obfuscation as shown in the image.

Revealing The Layers Of Korean SEO Spam

new_releases

Artificial Intelligence (AI) And Machine Learning (ML): Where Are Humans?

As seen in the image, the hackers used the “Signature For Report” comment to misdirect anyone trying to analyze the code. However, upon further decoding, this code reveals the modus operandi of the entire Korean SEO Spam campaign. Which includes:

  1. Fetching Korean spam keywords.
  2. Caching them.
  3. Cloaking to serve different content to different visitors.

Components Of Korean SEO Spam:

Fetching The Contents Of Spam

In order to fetch the contents of this Korean keyword hack the following link was used: hxxp://god.sm79[.]xyz/api.php?g=gitt. Upon visiting this link, it serves some base 64 encoded content as shown in the image below.

new_releases

Project Soli, Remastered: How Radar-Detected Gestures Might Differ Pixel 4

Fetching The Contents Of Spam

When decoded it looks something like this. This contains a long list of Korean Keywords and injection types.

Configuration Arrays Of Korean SEO Spam Content

The content fetched from hxxp://god.sm79[.]xyz/api.php?g=gitt contains a large number of arrays. These assist the spammers in creating and spreading a large variety of spam. Some important arrays fetched from the link are:

1. A configuration array for spam rules so that you never run out of spam. It contains around 199 spam rules!

Configuration Arrays Of Korean SEO Spam Content

new_releases

#HowTo Avoid Vulnerability Management Common Mistakes And Reduce Business Risk

2. A configuration array of domains used to redirect users.

A configuration array of domains used to redirect users.

3. An array of around 900+ keywords(309 in one array and 608 in other) to be targeted. Some prominent keywords include “call girls for travelers”, “online gambling”, “off-white merchandise” etc.

new_releases

Approach And Address Fraud: String It All Together With Data

An array of around 900+ keywords(309 in one array and 608 in other) to be targeted.

Target Localization

This Korean SEO spam campaign targets only the traffic generated from Korea. This can be further explained from the code snippet of the spam given below:


if(strpos(strtolower(@$_SERVER['HTTP_REFERER']), ".kr")
!== false || strpos(strtolower(@$_SERVER['HTTP_ACCEPT_LANGUAGE']),
"ko") !== false){
…
die('<!DOCTYPE html><html><body><script>document.location=
("'[email protected]($sc_arr[0]).'");
</script></body></html>');
}

new_releases

Zero Trust: Five Misconception Debunked About Zero Trust’s Dependability

The first line of code checks if the request has originated from a Korean version of search engine i.e. “.kr“. Moreover, the third line of code check if the user has Korean as the default browser language i.e. “ko“. Once, these parameters are satisfied, these requests are then redirected. Also, the spam contents fetch earlier contain an array of Korean cities to customize the spam content for each one of them.

Array for targeting each city

Array for targeting each city.

Old Habits Die Hard

Korean SEO spam bears multiple similarities to the Japanese SEO spam. For instance, Korean SEO spam also creates spammy doorways on many sites around the world. Another similarity is trying to sell cheap pharma products. Just like Japanese SEO spam, this too tries to claim the ownership of compromised sites.

new_releases

Project Soli, Remastered: How Radar-Detected Gestures Might Differ Pixel 4

Although the spam campaign is similar to Japanese SEO hack, the Korean SEO spam campaign features a new and alarming method of polluting the search results of legitimate and uncompromised websites. One of the configuration array with the contents fetched from “hxxp://god.sm79[.]xyz/api.php?g=gitt” includes a list if around 500 random sites. The URLs of these sites are stored in the following format: http://example.com/?s=[something].

Towards the finish of every URL, the WordPress site requests that a specific query be searched which is “/? s=search-string” query. What the attackers did was to link the random sites to these Korean spam keywords.

new_releases

#HowTo Avoid Vulnerability Management Common Mistakes And Reduce Business Risk

As mentioned before, the sites were uncompromised and therefore they did not return any results for these Korean keywords. However, the not found page did contain the keyword which led to Googlebot ranking the sites for these keywords.

To get a better picture, take a look at the example given below.

A “NOT FOUND” page containing the spam search query.

A NOT FOUND page containing the spam search query

new_releases

API Security: 7 Common Delusions About APIs And API Security

This page return, simply states that the search query was not found. However, this also contains the complete search term with the spam keyword. The page also contains the name of site gmvcs [.] com, which is being promoted during this spam campaign.

A simple Google search of this site can, therefore, reveal millions of indexed pages. Whereas in reality, none of them contains this term. So, this basically pollutes the SERPs of legitimate sites with multiple spam keywords and promoted sites, leading to a negative SEO and a nightmare for their webmasters!

Mitigation

NoIndex

In order to avoid the search result, pollution of your website, insert the following tag to your search result page:

<meta name=”robots” content=”noindex”>

new_releases

Advanced Contact Form 7 DB WordPress Plugin Vulnerable To SQLi Injection Detected

Another alternative is to disallow indexing using the robots.txt file. Simply create a robots.txt file in the root folder and add the following code:

User-agent: *

Noindex: /

This can be done from other WordPress Plugins as well.

new_releases

User Experience (UX): Why Proficiency In Usability Is Imperative For Better Security

Web Application Firewall (WAF) For Protection

A good Web Application Firewall (WAF), can detect the loopholes in your site, especially the noindex part in the case of Korean SEO spam. Also, having a complete security solution such as Sucuri can protect your website from such future spams.

, , , , , , , , , , , , ,
Previous Post
What Is Search Engine Blacklist By Google, Bing, Yandex, McAfee, Norton
Next Post
Project Soli, Remastered: How Radar-Detected Gestures Might Differ Pixel 4

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Menu

Pin It on Pinterest