Bait & Switch Hacking Is Gaining Top Rankings In Google

What do a site on Bitcoin and a Polish bank have in common? Both are ranking well in Google for searches about downloading games, something neither offer. The reason? Both may be victims of a new hacking onslaught revolving around gaining top listings on Google and redirecting visitors to other sites.

How Bait & Switch Hacking Works

With bait-and-switch hacking, someone gains access to a site and begins publishing pages on topics that the site itself doesn’t normally cover. The site might not even be aware that the pages exist.

The hackers are hoping to leverage the authority of the sites they hack. The idea is that publishing such content on an existing site might do better than trying to publish it on a new site.

Here’s an example of this in action. For a search on “download games,” a page from a site called Bitcoinspot is ranking in the top results on Google:

The site itself isn’t about games. It’s about Bitcoin. But hackers have gained access to inject over 300 pages relating to gaming downloads:

They’ve also injected links that only Google sees, not humans, into the home page of the site:

Flooding the site with these pages worked. The hackers obtained a top ranking as shown earlier. To add insult to injury, the pages they injected into the site appear to have been taken from other sites.

Only Google sees that actual content. Human visitors, when they click, get redirected via JavaScript from the hacked site to another site. The hackers may earn money off affiliate fees for the click. Alternatively, they might gain from ads on the pages they redirect to.

Those ads, by the way, for at least one of the redirected pages I examined, were powered by Google’s own AdSense:

Here’s one more example, showing how a similar thing is happening to a Polish bank:

What’s Old Is New Again

This spamming tactic isn’t new. In fact, it’s so old that years ago, Google had built up its defenses so that this tactic largely dropped out of fashion. It didn’t work well enough for sites to gain rankings, especially for fairly prominent terms. But over the past two months or so, something’s changed that’s allowing it to work again, at least in the gaming space.

Juha Sompinmäki of the Gametop download site has been tracking the situation that began earlier this month (see his posts here and here) and was in touch with us shortly after it happened. As we’ve all been watching, the hacks seem most successful going after terms related to gaming and gaming downloads. But there’s evidence hackers are going after other terms by taking content off brand sites like Dick’s Sporting Goods or the children’s site, Nick:

As the screenshots above show, content from Dick’s Sporting Goods and Nick has been taken and injected into other sites. We didn’t find that this content was ranking for any particularly important terms or outranking the original sites. However, the potential is there.

We asked Google about this situation back on December 2 and again on December 9 but received no response. We’re checking again and will update if we hear more.