Cybeattacks:Black hat SEO operators sabotage PH news sites with toxic backlinks

0
593

Aug 8, 2022, PHT, Gemma B. Mendoza

EXCLUSIVE: Spammy domains have been attacking news websites with toxic backlinks since late 2021. A possible motive: to get these sites downranked in search results.

MANILA, Philippines – Ahead of the May 2022 elections, Rappler and a number of other Philippine news websites found themselves at the receiving end of heightened distributed denial of service (DDoS) attacks.

A number of newsrooms, including ABS-CBN news, GMA News, Rappler, Philstar, Vera Files, Altermidya, Bulatlat, CNN Philippines, were affected by the attacks. At their peak, newsrooms struggled to keep their websites up while readers trying to access the sites affected were being served 403 or 404 error messages.

This was not the first time media organizations in the Philippines were targeted. Prior to the DDoS attacks, newsrooms and journalists were subjected to vilification campaigns on social media by pro-Duterte administration social media influencers and social media propaganda channels.

To unmask the attackers, we worked with Sweden-based digital forensics nonprofit Qurium Media to investigate data from the floods to Rappler, ABS-CBN, and Vera Files. Qurium found that one of the methods used by the botnet – the network of devices used to launch the cyberattacks – included tapping several thousands of domains classified as “referrer spam.”

Referrer spam is a black hat digital marketing technique that involves flooding a website with fake visits coming from fake referrer URLs so they would appear in the traffic logs of the target site.

CYBERATTACK. This was the error message that users of Rappler and other news websites were seeing while the sites were under heavy attack.

The goal of spammers, according to industry insiders, is to get the attention of webmasters and prod them to click on the URLs in their analytics dashboard.

This is abusive behavior as it slows down the target site and takes up resources without really resulting in pageviews. On a massive scale, and depending on how robust the hosting system of the target site is, this could cause websites to go down. This happened in the case of the newsrooms affected by the DDoS attacks.

More importantly, this further deprives the public of verified and valuable information, which is already being buried by memes and fake news. One of the incidents of these cyberattacks was staged while media groups were busy covering the impact of Typhoon Odette in the Visayas. Another attack was launched in the middle of a presidential debate.

New attacks

The DDoS attacks on Rappler and most of the news sites have since died down. Our tech team managed to implement a host of mitigating measures to stop the botnets from crippling us. We also published stories exposing potential actors behind the attacks. 

But it’s wishful thinking to believe they have stopped planning for the next round of attacks.

In late July, while investigating a sudden drop in traffic coming from search results, Rappler uncovered thousands of backlinks from what was flagged by a search monitoring tool as “toxic domains.” These are websites built through automated link-building schemes, often of poor quality and with very little content.

The tool found over 1,300 of these referring domains, which have very high toxicity scores, to have been barraging the site with a “suspicious number of backlinks.”

WARNING SIGNS. Alert notices on the dashboard of a search monitoring tool, informing news site webmasters of new toxic domains and domains sending in suspicious numbers of backlinks.
Impact of negative SEO

Getting linked to is desired by website owners. In fact, news websites – because they usually regularly produce updated unique, credible, and informative content – rank well in search results because they naturally get a lot of backlinks.

But numerous links coming from toxic, spammy sites is a different story. Left unchecked, this could bring down traffic to those targeted or affected sites.

This is double-whammy for news websites already struggling from loss of traffic from Facebook, which has steadily deprioritized news pages on its news feed over the past years.

News websites affected

The bulk of the backlinks to the news websites examined were from low-authority sites. This is not necessarily bad as some newly-created sites might only be starting to gain authority and quality backlinks.

What is alarming are indicators that a substantial number of backlinks are from potential spam sites.

An initial scan of backlinks to other Philippine news websites revealed that Rappler is not the only one being targeted by link spammers. Signs of potential spam attacks were found with respect to linkbacks to the websites of ABS-CBN News, Philstar, and Vera Files.

In the case of Rappler, the tool further uncovered 64,295 domains which could be potentially linked to one another through the same IP addresses, same Google Analytics IDs, same Adsense IDs, same url paths, same page title domains, multiple same root subdomains, or mirror pages. Backlinks with these markers, according to the tool, can signal link networks. It further said this could also be a sign of a spam attack.

In all, these potential spammy domains have created 400,351 backlinks that targeted Rappler.

POTENTIAL SPAM ATTACK. Screenshots from the dashboard of a search optimization audit tool alerts of potential link networks with backlinks to news websites. The tool says this could be a sign of a spam attack.

Of these domains, 50,452, accounting for a total of 221,067 backlinks to Rappler, have very low authority scores. A further 2,170 domains of these domains, accounting for a total of 10,676 backlinks, have very high toxicity scores.

In the case of Philstar, 52,558 domains accounting for a total of 357,889 backlinks bear the markers of potential link networks. Of these, 38,593 domains accounting for a total of 177,697 backlinks have very low authority scores, while 1,196 domains accounting for 5,772 backlinks have very high toxicity scores.

In the case of Vera Files, the other Filipino 3rd party fact check partner of Facebook, 17,753 backlinks were found, of which a total of 10,065 were from 2,179 potential spam domains. Of these linkbacks, 3,743 came from 1,373 domains which have very low authority domains. A total of 102 of these linkbacks are from 29 toxic domains.

Poor quality to no content

Backlink data for Rappler, ABS-CBN News, and Philstar show that a number of the top referring domains, meaning websites from which the most number of backlinks originated, have over 500 backlinks to these news sites.

A quick review of the “toxic” websites showed that many of the URLs linking back from these domains have either no content or very little content. In cases where the pages did have content, the content was either unintelligible or clearly produced through automated content spinning techniques. This means they are not real articles or real content at all.

Most of the pages found to be linking back to Rappler and Philstar were not even visibly linking. Instead, they were abusing website resources by “hotlinking,” or by directly rendering images from these websites on their webpages. Below are examples of these sites. 

LINK ABUSE. These are examples of dubious apps hotlinking to photos on Rappler and Philstar. Apps developed through Web services that simplify web app development, like Netlify and Firebase, have been used to launch the spam link attacks.

Hotlinking is also considered abusive and akin to stealing because it does not only use a target website’s assets, it also uses up that website’s bandwidth. In short, the target website owner bears the server costs without necessarily benefiting in terms of monetizable pageviews. It also potentially infringes on copyrighted material.

One of the keywords toxic backlinks have been targeting on the Rappler site is the keyword “crowdfunding.” What is significant here is that instead of linking to Rappler’s crowdfunding page, the spammy pages have been linking to non-existent subdomains on Rappler.

SABOTAGE. Automated link building schemes attempt to divert searches for “crowdfunding” to pages that do not exist on Rappler.

Similar abusive spammy links have been targeting odd keywords on the websites of ABS-CBN News, Philstar, and Vera Files.

The links below targeted the keywords “6841 philstar.com” on the Philippine Star website. A quick search on Google shows that Philippine Star does not seem to have this content.


RANDOM KEYWORDS. Example of random keywords being used to spam the website of Philstar.com

This type of spam attack was also observed on the website of ABS-CBN News using keyword “5651. Abs-cbnnews.com.”

MORE SPAM. Like Philstar and Rappler, the website of ABS-CBN News was also a target of spammy backlinks targeting random keywords.

Some of the spammy websites were flagged by Google Chrome as potentially dangerous. Below is a screenshot of one of the websites spamming the website of Vera Files, one of the two Filipino 3rd party fact check partners of Facebook.  

DECEPTIVE SITES WARNING. Chrome displays this notice when a user attempts to access one of the websites which has been spamming the website of Vera Files.
Election ramp up?

It is difficult to detect when exactly the spam operations began. Quick checks using the SEO audit tool showed that a number of these toxic backlinks were “recent.”

One indicator is the growth in the ratio of referring domains to backlinks, which went through the roof from November 2021 to June 2022 in the case of both Vera Files and Rappler.

Prior to this, the number of backlinks had been growing at a fairly similar pace as the growth in the number of referring domains – an indicator of healthy and organic link generation pattern naturally derived from quality and credible content. 

PRE-ELECTION BUILD-UP. The number of domains found by the tool to have a ‘suspicious number of backlinks’ increased exponentially ahead of the 2022 elections.

The fact that traffic to news websites tends to grow as election coverage heats up could partly explain this. But a closer examination of the top referring domains, which included the toxic sites identified, showed this does not fully explain this level of link buildup nearing elections. It is possible that this was the period when there was a buildup of websites which the tool described as having a “suspicious number of backlinks.”

This period is also right about the time when Philippine newsrooms were being subjected to numerous intense DDoS attacks. 

A website would normally not have that many backlinks to another website unless they are partners or are collaborating with each other. Examples of these were backlinks to Vera Files from Tsek.PH, an election-related collaborative fact-checking effort. Rappler also heavily linked to the websites of newsrooms it collaborated with under the #FactsFirstPH initiative. An indicator that would show this is related content, which would explain the cross-referencing, as in the cases mentioned.

Rappler found that some low quality domains to Vera Files had targeted the website of the fact check group with between 100 to over 300 backlinks. What is significant is that the content of these domains were not even related to the typical content on Vera Files.

A number of toxic domains barraged the websites ABS-CBN News, Philstar, and Rappler with as many as over 500 backlinks each.

Shifting attack tactics?

At the time we investigated these cyberattacks, Tord Lundström, technical director at Qurium Media, noted that the use of referral spam for DDoS was “a very specific signature” not often seen in typical denial of service attacks. “You need many IP addresses and many URLs to create this type of traffic.”

He concluded that the ones behind the attack probably hired one of the existing blackhat SEO operations that has access to this other type of business.

Spammy link referrals are discouraged by Google. It is not in the interest of the news websites concerned to engage in this practice both because of the impact on server resources and the resulting penalties that could be imposed on them if they are found to be engaging in manipulative link-building schemes.

The question is what do these attackers get from doing this?

Sabotage

Many of these potential spammy sites were produced using free services like Netlify, Firebase, and Blogspot. But this does not mean that the whole spam operation was not without costs.

For one thing, tools need to be bought. The software for building backlinks that Rappler found costs around P5,500. A tool that allows breaking through captcha mechanisms meant to prevent automated mechanisms for account creation costs around 7,700.  Another tool for automatically generating content costs another P7,400.

But even if the tools are already available, building these websites and backlinks – at the scale it was done here – still requires tremendous time and effort.

Considering potential penalties for unethical link-building schemes, using these techniques clearly does no good for the news websites concerned.

Since many of these do not even have content or have poor content, it is doubtful that the builders of the websites are able to monetize them through advertising as typically done before. Some of the pages that we found did not even have advertising. Below is an example.

Since there is very little other value the spammers themselves could derive from the websites we discovered, the only apparent purpose of the spam backlinks is sabotage.

Unfortunately, unless search giants recognize this as a threat to the information ecosystem, the only way to fend off these spam attacks is constant monitoring – something many newsrooms in the country do not have the resources for. – Rappler.com