Revenge of the Black Hat: Bait and Switchers Return

An old monster everyone thought was long destroyed is rearing its ugly head once again, exacting vengeance on organically ranking sites all over the Internet. Bait and switch hacking is a dark technique from the age of black hat SEO that takes potential views from legitimate sites towards the ones owned or created by the hackers. There are various reasons hackers do what they do. Some of them just want to steal traffic from other sites without putting in the work. More sinister minds, however, utilize such tactics to steal user information, such as credit card numbers, and addresses that can be used for scams, as well as other similar activities. Google upgraded its crawlers to combat such techniques, and site owners took measures to protect themselves from bait switch attacks on their end as well. The combined efforts of the search engine and early SEO companies resulted in a resounding victory that left bait and switch hackers to the smallest parts of the internet. The latest mention of bait and switch hackingbefore this latest spate of attacks (yes, these are attacks) was back in 2007, when some up-and-coming SEO companies tried to gape the system with redirects. Needless to say, such attempts were quickly found out and put down before they did anything of substance. But, what is a bait and switch hack, and why are they back?

The Black Technique

Performing a bait and switch is simple in theory, but requires a clear understanding of how Googlebot crawlers work and “see”. A hacker first gains access to a site with good organic rankings, which they can do through phishing, psychological subversion, pretexting, and other similar techniques. Once they have access, the hackers begin publishing pages on topics that the site does not originally cover; effectively leveraging the credibility of the hacked site to gain top positions on the SERPs. Users who click on such links are redirected to the site owned by the hacker, gaining traffic by using someone else’s name.

Dark Google Masters

The hackers that conduct these attacks aren’t novices in the SEO game, it’s clear that they understand the difference between how users and Googlebots see a page. We highlighted that very same difference in a past blog regarding the search severity column on the Google Search Console. You can see the example John Mueller used to demonstrate that distinction here. Hackers use this knowledge to flood sites with links that only Googlebots can see, somehow tricking the algorithm the same way it did in years past, while keeping users in the dark. In many cases, the owners of the hacked site wouldn’t even be aware that foreign pages exist. Until they begin seeing their once healthy ranking start taking massive dips for what they think is no reason at all. It’s still unclear how these hackers are able to get around Google’s algorithms as they are now, which is a bit of a concern. Through the years, Google has made hundreds of updates to its algorithms, and that’s made them extremely good at determining what’s worth putting on the SERPs, and elevating the user experience. The proof is in the pudding, as there isn’t a single search engine that even comes close to Google’s authority. The reason that these hacks are possible today may be because of simple oversight with the updates, or a greater breakdown in the system. Google representatives have yet to say anything official on this front, however, and SEO companies are left to speculate as to what they can do to better protect their sites from attacks.

Bait and Switchers Infiltrating the First Page

A Search Engine Land report by Danny Sullivan posted a couple of alarming examples of bait and switch hacking in action. The searches were done for downloadable games and free iPhone apps, but included some odd guests on the SERPs. Google Download Games  
Image Source: https://searchengineland.com/figz/wp-content/seloads/2015/12/download_games_-_Google_Search.png
    Google Free Phone Apps  
Image Source: https://searchengineland.com/figz/wp-content/seloads/2015/12/free_iphone_apps_-_Google_Search.png
  The presence of bitcoins and Polish banks in both these SERP examples are great causes for concern, in part because of how blatantly they operate. The targets are high-profile with considerable official markets, and the hackers are making them rank for terms that have nothing to do with their business.

Plunging Sites into Darkness

The targets of these fresh bait and switch attempts seem to be mostly downloadable game sites, as well as a smattering of other sites that range from financial institutions to entertainment websites. Juha Sompinmaeki of gametop.com was one of the first to notice and record the effect of these hacks on his site on the first day of December. At the time of this writing, the most notable victims have included bitcoinspot.nl, hbo.com, nick.com, bsndm.pl, and dickssportinggoods.com. Fortunately, Sompinmaeki shared a couple of screenshots of their data to help highlight the negative effects of such tactics on the victim sites. This is a screenshot of a search done on teamtalkmedia.com, a digital media business, back in November last year. Google SERP TeamTalkMedia  
Image Source: https://searchengineland.com/figz/wp-content/seloads/2015/12/site_teamtalkmedia_com_nick_-_Google_Search.png
  The presence of two domains on one page is an immediate red flag, but the true effect of this page’s existence can only be seen after the nick.com page goes through a thorough analysis. SearchMetrics Keyword Position History  
Image Source: https://cdn-images-1.medium.com/max/800/1*67gJ4VHJxaXlr_x63chr-g.png
  If we take note of the dates, the massive dive takes place just a few days after the initial detection of the injected information from Nick.com. This isn’t to say that the teamtalkmedia.com example was the sole cause of that drop, as there may be other sites that are using Nick.com’s leverage to gain ranking position. But, such examples highlight the effect such tactics cause on the organic traffic of victim sites.

A SERP Stalemate

Google hasn’t been sitting idly by as these hacks occur though; the pages that we use as examples here are no longer on the Google index, but that doesn’t completely erase the threat. The list of pages and sites that Google is taking down because of bait and switch tactics is growing. But, the hackers are creating new sites that do the same thing as soon as Google takes them down. The search engine is in a virtual deadlock with these hackers, which is a situation that should not have begun in the first place. But, this story is still evolving even as of this writing;everyone will have to sit tight and see what unfolds in the coming weeks, and if Google representatives will have anything to say about the situation. This is obviously a serious concern for many SEO companies, and we’re doing everything possible to anticipate and protect all of our partners from becoming victims of such attacks. Contact us today if you want to share more information regarding this situation, and we can work together to restore balance to the SERPs.