How I Uncovered Criminal Activity During an SEO Audit

by Alan Bleiweiss January 25th, 2011 

forensic-seo-investigation

I love my work.  It's fascinating for me to be able to find ways to help clients improve their visibility, leads and sales conversions through my audit work.  From time to time, it gets really interesting when I discover gray hat or black hat activity the clients current or former in-house, or outsourced SEO provider had been conducting or had implemented without the site owners knowledge.

Its even more rewarding however, on those rare occasions when I get to come across what turns out to be criminal activity.  That stuff is like being handed a basket full of kittens and puppies, along with a unicorn and a rainbow!

A brief background

Everyone in our industry brings their own unique combination of experience, skills, knowledge and talent.  How we approach the work we do is shaped by that background.

For me, not long after high school, I joined the Army.  I was naive and malleable, so when a friend asked me to go with him to the recruiter because he was joining up, I ended up getting pitched.  And when I saw a video (VHS was brand new back then – the decks were the size of a big suitcase) showing Military Police – with badges and guns, I was hooked.  And in my time in the Army, I learned some advanced investigative techniques I use today in my audit work.

A combination of shiny-object-syndrome and a fascination with patterns has taught me to look beyond the obvious.

Fast forward to February 2010

I was hired by an agency to perform an audit on a major online retail site.  It happens to be in the top five in it's market online.  The site had been running for a number of years and had extensive previous optimization.  My job then, was to find ways to take everything to the next level.

In that process, I spent probably a couple dozen hours reviewing and documenting the standard stuff – topical focus, content organization, overall site architecture, on-page factors, and all the usual suspects.

Combined with several subsequent section level tactical audits and action plans, I'm proud of the fact that year over year, 2010 saw a 45% increase in organic visits, and 37% increase in organic generated sales.

But it was my review of the inbound link profile that revealed what turned out to be the criminal activity.

Looking For Patterns

Rather than examining every aspect of optimization on dozens or hundreds of pages, I look for patterns.  For example, if I find that three, five or eight pages all have fuzzy topical focus, I know that's an item that needs addressing.

If I see that content isn't grouped intuitively for users in one or more of the top sections of a site, I know that's a hindrance to search engines as well.

I use the same method when reviewing inbound links.  Not a link building specialist I don't spend hours on the inbound links but, when appropriate to the audit's goals, look for patterns within those inbound links.

I find Open Site Explorer to be invaluable for this work. I can run a report, export it to Excel, sort, filter and regroup inbound links to my hearts content.

What I Look For Within Inbound Links

When I'm examining inbound links, I look at several things – is there a good mix of keyword specific anchor text compared to brand anchors? Are those balanced with a decent number of "random" anchors?  What's the ratio of inbound links to root domains?  There needs to be a balance in order to avoid the appearance of having an unnatural inbound link profile so those are important factors.

I also examine the type of sites links come from, because to look natural, that profile needs to also include links from a variety of sites.  Not just based on authority weight, but the type of sites as well.  For example, if it's a retail site, I like to see links come from blogs, news sites, business sites, and review sites among others.

How I Hit The Jackpot – The Soft Eyes Approach

digital-forensics

As I examined this particular sites profile, I used a review technique taught to me many years ago called "The soft eyes approach".  Sounds hokey, I know, but you'd be amazed at how effective it is.

Say for example, you're staring at a forest – thousands upon thousands of trees stretching as far as the eye can see to your left and to your right.  If you try and see every single tree, or figure out the species of each, you'll go batty.  If you try to see what's odd in the forest, you'll rapidly become queasy.

And your head may just explode.  So I recommend not doing that.  It's dangerous. To your brain-matter.

Instead, defocus – let your vision go just a little fuzzy.  If you do that, and hold that as you slowly scan the tree-line, what you'll begin to notice are things that don't seem to belong.  Maybe it's a deer, or the trunk of a still upright dead tree, or a tree that has long since fallen over.

Whatever it is, your brain will trigger on it because it's not like everything else around it.

It's that process in this particular audit which led to me to something that didn't seem to fit. A web site that kept popping into my "odd – what's that doing there" awareness.  The name of the web site  sounded like it was another online retail site in the same exact niche.

I looked at the inbound links coming from that site. They weren't pointed at the home page, or a category page, or even a product page — they were pointed at an internal shopping process page.  A page no inbound link should ever justifiably point to.

So I went to the site, to see what was up…  And OMG…

The entire site was a complete scrape of the site I was auditing. Every single page, every single navigation link, every single product.  Everything was exactly the same, except the domain name.  Even the logo was the same.

We're not just talking about a scraped HTML site.  We're talking about everything. Including the member sign-up and sign-in forms, the member profile forms… They'd essentially stolen the entire legitimate site's identity and functionality!

Stop, Go Back, Start Again

Back in the day, when I carried a badge, and a gun, I was trained in the art of searching suspects.  We were taught that when searching someone, if you come across a weapon, you stop and start your search over.

gun

It's what I was taught.  It's what I did the time I had to confront someone who had been flashing a pistol at a beer festival when I was stationed in Germany.

There I was, on the sidewalk; suspect face down on the ground, my knee pushed into his lower back, my .45 pointed at his head.  Adrenaline pumping through me faster than fuel passes through a jet engine, as one hand did the searching.

And after finding the pistol he'd buried in his pocket, on that second pass, I found a knife I'd missed the first time.*

The point of starting over?  Simple.  As much as you think you found everything the first time, the moment you hit the jackpot, if you stop and start over, you're more likely to be even more vigilant.  More on the alert.

For this situation, the audit,  it paid off too when, during my second soft-eyes go-round, I found ANOTHER site with too coincidental a domain name.  And THAT site's inbound links ALSO pointed to internal process pages. And when I went to THAT site, I saw ANOTHER COMPLETE DUPLICATE of the entire site.

The Bigger Problem Uncovered

Scraper sites are a bane, a thorn, and a headache all rolled into one big ugly ball.  Sure, they can result in extra inbound links.  And most of the time, those are harmless.

But in this situation?  It was the worst of the worst. Not just a duplicate content issue.

Whoever pulled this one off, didn't just scrape – they spoofed.  Aanyone going to one of those sites would click on any link they wanted anywhere in the navigation or inside the content, and they'd go to another page on that spoofed site.  Except for those links that, for some reason, had been overlooked (buried deep within the site themselves) – the ones that alerted me to this problem.

Where this gets nasty is in the fact that we're talking about eCommerce. Credit card information.  Mailing address information. User login and Password; a lot of people use the same on every other site they visit.  And that, my friends, is a big problem. Epic.

Lawyers and corporate executives were brought into the case, as was the registrar and the domain host.  In short order, both sites were taken down.  Beyond that I can't discuss the case. (don't you just hate when that happens?) Besides, that would require a book.

Forensic SEO Matters

forensic-casebook

By taking the soft-eyes approach when your eyes gloss over as a result of trying to see every tree in the forest, you're more likely to see patterns and shiny objects that stick out. It helps you be more efficient,  saving you from spending too much time reviewing any individual aspect on your checklist.

You may not ever stumble on something truly criminal.  Heck – I've only come across a total of three situations that qualified as criminal activities in the entire ten years I've been doing SEO. But you will start to spot more common "that's odd…" things to investigate.  Like how some SEO "professionals" bury links inside the code, pointing to their own sites, or to their client's sites.  Links that might not pop out at you because the visible text in the browser doesn't reveal them. People leaching off of unsuspecting site owners, for gray hat or black hat reasons.  Or malicious reasons – like the times I've found malicious code deep within what would initially appear to be endless boring JavaScript.

And who knows – you might uncover a crime syndicate that gets you on the cover of Master Detective!  :-)

________________

*In case you're wondering, that event actually occurred during my last year in-country while I had been on duty as an M.P. and it's stayed with me as vivid as if it were last night, even though the year was 1982.

Alan Bleiweiss

I am a Forensic SEO Consultant with more than ten years in search marketing, and sixteen overall Internet marketing management. I'm also a columnist at Search Engine Journal and the founding author at Search Marketing Wisdom.

You May Also Like

13 Responses to “How I Uncovered Criminal Activity During an SEO Audit”

  1. Dan Cristo says:

    Hey Alan,
    Great post. It reminded me of my work at a previous company, also an ecommerce site, where I ran across the exact same thing. Someone was spoofing the site, and collecting private information.

    I wish I had the intuition at the time to make a great post out of the situation, but that's ok. Even if I had written an article about it, it wouldn't have nearly been as entertaining. lol. Loved the tie in with the knife search story.

    Great job with the article, my friend.
    Dan Cristo
    .-= Dan Cristo recently posted: What is one SEO theory that you would love to see tested =-.

    • Thanks Dan

      I'm glad you mention your similar experience. It's important for people to know this stuff goes on out there. And did you notice – that event took place a year ago – I'm just now writing the article. This type of issue is timeless in many ways.

  2. Don Rhoades says:

    Thanks for sharing Alan! Great insight for us all.

    "If you got soft eyes, you can see the whole thing. If you got hard eyes – you staring at the same tree missing the forest". Detective Bunk Moreland ~ The Wire
    .-= Don Rhoades recently posted: 5 Tips for Quitting Smoking =-.

    • LOL – I have never actually watched the Wire – maybe I should go check out some reruns!

      Interestingly enough, the technique was one I picked up at a meditation retreat.

  3. Jeff Quipp says:

    Great post Alan! I was hooked from the beginning. Absolutely love how you tie it all in with what you learned in the military! Thank you!
    .-= Jeff Quipp recently posted: How I Uncovered Criminal Activity During an SEO Audit =-.

  4. Great article! What ended up happening with the scraped sites? Was the client able to take action?
    .-= Dana DiTomaso recently posted: I’m having a sale =-.

  5. Awesome post. Saw the post on Twitter and the title just got me. The rest of the post – equally as enthralling. I can't imagine having found that out, but kudos for handling it well! I haven't thought about looking thoroughly at the legitimacy of a site like that. Good advice and great experience. Thanks for sharing.

    Leslie

  6. Wow. Great post Alan. It's always interesting to travel down those rabbit holes and finding unexpected things like this when conducting an audit. I've never encountered anything as insidious as this but I have found some astounding issues when conducing site audits/
    .-= Mark Pilatowski recently posted: Google Trends Manipulation- A Lesson for Old Media =-.

  7. Hey Alan, thanks for your post. I have always been interested in computer forensics. It's good to know that somebody is looking out for others that pay no interest whatsoever to those kind of situation. Some people have no feelings for others when it comes to take something out of you and then they take advantage. The one thing I feared is those people that change your affiliate codes to theirs and take your commissions.