cyberattacks

Dubious sites spamming PH news groups traced to Swedish black hat SEO operator

Gemma B. Mendoza
Dubious sites spamming PH news groups traced to Swedish black hat SEO operator
(1st UPDATE) Our dive into backlink data from toxic sites targeting Philippine news groups uncovers a Swedish black hat SEO operator’s online extortion scheme

First of 2 parts
READ: Part 2 | Spamming for ransom: The dubious business of black hat SEO marketing

MANILA, Philippines – What if somebody asks you to pay him US$36 (P2,058)* to remove undesirable backlinks from his website to yours that you did not ask for to begin with?

To the ordinary internet user, the idea of charging to get bad backlinks removed may seem preposterous. In the perverse world of black hat search engine optimization (SEO) operators, however, it makes perfect sense because there is a market that can be exploited. Moreover, it is a potentially lucrative business.   

In late July 2022, we discovered that Rappler, ABS-CBN, Philstar, among others, were being heavily spammed by thousands of dubious websites that an SEO monitoring tool described as “potential link networks.” This caused stories from these sites to be less visible in search results.

Must Read

Black hat SEO operators sabotage PH news sites with toxic backlinks

Black hat SEO operators sabotage PH news sites with toxic backlinks

While getting linked to generally benefits websites, having numerous backlinks coming from toxic, spammy sites is a different story altogether. Search engine giant Google, which uses backlinks as one of numerous signals for determining the relevance and importance of specific online content, has been battling manipulative link building schemes for years. 

Very recently, a search expert from Google already confirmed that in cases where there is a clear pattern of spammy and manipulative links by the site, their search algorithm may decide to simply distrust the whole site

Left unchecked, these spammy backlinks could bring down traffic to affected sites – something that news websites relying on traffic from search results cannot afford to ignore. Rappler discovered the problem after observing a sharp drop in traffic from search results in July.

A negative SEO extortion scheme

To address the spam attacks, we teamed up with Swedish digital forensic group, Qurium Media, whom we had previously worked with when Rappler and other Philippine newsgroups faced heightened distributed denial of service (DDoS) attacks ahead of the May 2022 elections. (Qurium’s investigation can be found here)

We analyzed data on backlinks to Rappler and other news sites, collected more information, and identified patterns that could lead us to potential culprits. Our deep dive brought to our attention a Swedish black hat SEO operator’s online extortion scheme. 

Must Read

Negative SEO: How black hat marketers abuse Google’s rules vs toxic backlinks

Negative SEO: How black hat marketers abuse Google’s rules vs toxic backlinks

The black hat operator charges $3 (P171.55) per month or $36 (P2,058) per year for each link a user adds to their site. Expensive, right? But not as expensive if you compare it with the price of deleting unwanted backlinks: a whopping $36. 

If you take those prices into consideration and take note of the number of backlinks targeting the three Philippine news websites, the potential windfall could run from the hundreds of thousands of dollars to over a million dollars. 

That is assuming that the news websites victimized here could afford that hefty price tag. 

The monitoring tool flagged tens of thousands of websites backlinking to Rappler and other news sites with markers indicating that they are parts of “potential link networks:” These either have the same IP address, URL path, page titles, root subdomains, Google analytics and/or Adsense IDs. Thousands were also flagged to be mirror pages, meaning, the websites are copycats of others within the network.

Identifying the spammers

The tool did not give us specific identifying information. Thus, we gathered additional data to see if there are indeed links among the websites. This included historical domain registration information, IP addresses, as well as identifiers like Adsense and Analytics IDs. 

An IP address stands for “Internet Protocol address,” a series of numbers that identifies any device, such as the hardware where a website is located, on a network. Human users now typically use domains or URLs (such as www.rappler.com) to access websites because it is easier for us to remember strings of text than a series of numbers. But IP addresses are still used for computer-to-computer communications over the internet as well as on other networks. 

While it is not always the case, websites that have the same IP address could potentially be managed or owned by the same group.

The other data points we gathered are trackers that can be found on the code of websites. For instance, the Google Adsense tracking code can be found on sites that use Google’s web monetization service to enable display advertising. On the other hand, the Google Analytics code allows website administrators and owners to track website traffic.

Finding similar tracking codes in a cluster of websites usually indicates that they have the same website administrators or owners. To obtain the tracking codes, we had to scrape them from the code of the websites that the SEO monitoring tool flagged. 

Combined, the above information could help identify clusters of sites that could potentially have the same owners or administrators. The network graph below visualized these clusters. (Because of the amount of data being rendered, it may take a minute or 2 for the full visualization to load.)

Some of the big clusters in the network map are sites and apps created through services like Blogspot, Firebase, Netlify, Typepad, Weebly, Appspot, Booklikes. These sites are hosted on the same service which means they have the same IP address.  

Because they are either free services or have free tiers, these services are often exploited by black hats in link-building schemes

Being hosted on these sites alone does not necessarily make the sites suspicious, however. What does are other indicators: many of them are hotlinking or directly embedding images or assets from the news websites, an abusive behavior. Many also use content that is either copied from other sites or clearly spun using automated content generating tools.     

Unfortunately, like Facebook and other social media accounts, it is very difficult to trace the real ownership of these sites. What is worth noting though are websites within these big clusters that are linked to other clusters with traceable identifiers.

Tracking down a black hat

The next cluster that stood out was a group of sites that shared this same title: “The Globe – The world’s most visited web pages.” The cluster was of particular interest because, among the websites flagged, the tool rated these sites as highly toxic, or likely part of link-building schemes. 

The search monitoring tool revealed hundreds of similarly laid out websites with the same browser title. These websites targeted not just Rappler, but also the websites of ABS-CBN News and Philstar. 

UNDESIRABLE BACKLINKS. Websites linked to The Globe have been heavily backlinking to Philippine news websites ABS-CBN News, Philstar, and Rappler

Random checks of websites in this cluster showed that the sites were almost uniform in look and content – consisting of a logo with the image of the globe and a callout to visitors to add their web pages and products on The Globe’s website. Apart from this, the websites typically feature a long bare list of links to various websites. 

Further checks showed that most of these sites are either linking, or were redirecting, to the website http://theglobe(dot)se

MIRROR SITES. Screenshots of some of The Globe websites hosted on IP address (78.69.18.135).

Working with Qurium Media, Rappler found that this cluster of sites did not just share the same titles or look and feel. Over a hundred of the sites with these traits, which backlinked to Rappler,  shared the same IP address (78.69.18.135), meaning, they were hosted in the same device. 

How does a network of websites with very little informational value to end users and no visible advertising benefit from repeatedly linking back to other websites? 

This is where the backlinking extortion scheme comes into play. If you go to the site http://theglobe(dot)se/, you will find a hyperlink with this text: “lagg till lankar” (Swedish for “add links”). Clicking on this link takes you to a web page that charges $3 per month or $36 per year for each link added to the site. 

PAY PER BACKLINK SERVICE. The Globe charges client websites US$3 per backlink from their site.

In all, over 500 websites, including hundreds of sites which were spamming Rappler, ABS-CBN, and Philstar are hosted on this IP address. 

Some of the domains of these sites were privately registered, meaning, the person or entity that registered the domain was redacted from records. 

However, at least one site had a publicly visible registrant as of December 2021: an individual named Richard Genmar whose listed address is in Stockholm City, Sweden. The domain is the-search-engine(dot)net, a website that targeted both Rappler and Philstar. 

By April 2022, the registrant record for this website has been redacted from domain registration records. But it is highly likely that the owner and nature of the website has not changed because a snapshot we found of the site on Wayback Machine showed that the look of the website as of December 2021 is the same as it is now.  

We searched for other background information on Richard Genmar online. His name, Jan Richard Genmar, also comes up as the owner of the trademark, “The Globe,” the logo featured in websites hosted on the IP address: 78.69.18.135. 

In a government listing for companies operating in the UK, Genmar’s name also comes up as the director for The Globe, Int. LTD. The UK government record indicates that he is Swedish but this could not be independently verified. The website itself has a disclaimer that says: “Companies House does not verify the accuracy of the information filed.”

We dug further into IP address 78.69.18.135 and found that this device is within the server infrastructure of Telia Company AB, a Swedish multinational telecommunications company and mobile network operator present in Sweden, Finland, Norway, Denmark, Lithuania, Latvia, and Estonia. 

This specific IP address had previously been reported for abuse in relation to web spam. – with Bingbong Recto and Ogoy San Juan/Rappler.com

(Part 2 tackles the business side of a negative SEO operation and how it works. It also explores options for owners of affected sites.) 

*Conversion rate: $1 = P57.18

Add a comment

Sort by

There are no comments yet. Add your comment to start the conversation.

Gemma B. Mendoza

Gemma Mendoza leads Rappler’s multi-pronged efforts to address disinformation in digital media, harnessing big data research, fact-checking, and community workshops. As one of Rappler's pioneers who launched its Facebook page Move.PH in 2011, Gemma initiated strategic projects that connect journalism and data with citizen action, particularly in relation to elections, disasters, and other social concerns.