Site icon Search Engine People Blog

How I Uncovered Criminal Activity During an SEO Audit

forensic-seo-investigation

I love my work.  It's fascinating for me to be able to find ways to help clients improve their visibility, leads and sales conversions through my audit work.  From time to time, it gets really interesting when I discover gray hat or black hat activity the clients current or former in-house, or outsourced SEO provider had been conducting or had implemented without the site owners knowledge.

Its even more rewarding however, on those rare occasions when I get to come across what turns out to be criminal activity.  That stuff is like being handed a basket full of kittens and puppies, along with a unicorn and a rainbow!

A brief background

Everyone in our industry brings their own unique combination of experience, skills, knowledge and talent.  How we approach the work we do is shaped by that background.

For me, not long after high school, I joined the Army.  I was naive and malleable, so when a friend asked me to go with him to the recruiter because he was joining up, I ended up getting pitched.  And when I saw a video (VHS was brand new back then - the decks were the size of a big suitcase) showing Military Police - with badges and guns, I was hooked.  And in my time in the Army, I learned some advanced investigative techniques I use today in my audit work.

A combination of shiny-object-syndrome and a fascination with patterns has taught me to look beyond the obvious.

Fast forward to February 2010

I was hired by an agency to perform an audit on a major online retail site.  It happens to be in the top five in it's market online.  The site had been running for a number of years and had extensive previous optimization.  My job then, was to find ways to take everything to the next level.

In that process, I spent probably a couple dozen hours reviewing and documenting the standard stuff - topical focus, content organization, overall site architecture, on-page factors, and all the usual suspects.

Combined with several subsequent section level tactical audits and action plans, I'm proud of the fact that year over year, 2010 saw a 45% increase in organic visits, and 37% increase in organic generated sales.

But it was my review of the inbound link profile that revealed what turned out to be the criminal activity.

Looking For Patterns

Rather than examining every aspect of optimization on dozens or hundreds of pages, I look for patterns.  For example, if I find that three, five or eight pages all have fuzzy topical focus, I know that's an item that needs addressing.

If I see that content isn't grouped intuitively for users in one or more of the top sections of a site, I know that's a hindrance to search engines as well.

I use the same method when reviewing inbound links.  Not a link building specialist I don't spend hours on the inbound links but, when appropriate to the audit's goals, look for patterns within those inbound links.

I find Open Site Explorer to be invaluable for this work. I can run a report, export it to Excel, sort, filter and regroup inbound links to my hearts content.

What I Look For Within Inbound Links

When I'm examining inbound links, I look at several things - is there a good mix of keyword specific anchor text compared to brand anchors? Are those balanced with a decent number of "random" anchors?  What's the ratio of inbound links to root domains?  There needs to be a balance in order to avoid the appearance of having an unnatural inbound link profile so those are important factors.

I also examine the type of sites links come from, because to look natural, that profile needs to also include links from a variety of sites.  Not just based on authority weight, but the type of sites as well.  For example, if it's a retail site, I like to see links come from blogs, news sites, business sites, and review sites among others.

How I Hit The Jackpot - The Soft Eyes Approach

As I examined this particular sites profile, I used a review technique taught to me many years ago called "The soft eyes approach".  Sounds hokey, I know, but you'd be amazed at how effective it is.

Say for example, you're staring at a forest - thousands upon thousands of trees stretching as far as the eye can see to your left and to your right.  If you try and see every single tree, or figure out the species of each, you'll go batty.  If you try to see what's odd in the forest, you'll rapidly become queasy.

And your head may just explode.  So I recommend not doing that.  It's dangerous. To your brain-matter.

Instead, defocus - let your vision go just a little fuzzy.  If you do that, and hold that as you slowly scan the tree-line, what you'll begin to notice are things that don't seem to belong.  Maybe it's a deer, or the trunk of a still upright dead tree, or a tree that has long since fallen over.

Whatever it is, your brain will trigger on it because it's not like everything else around it.

It's that process in this particular audit which led to me to something that didn't seem to fit. A web site that kept popping into my "odd - what's that doing there" awareness.  The name of the web site  sounded like it was another online retail site in the same exact niche.

I looked at the inbound links coming from that site. They weren't pointed at the home page, or a category page, or even a product page -- they were pointed at an internal shopping process page.  A page no inbound link should ever justifiably point to.

So I went to the site, to see what was up...  And OMG...

The entire site was a complete scrape of the site I was auditing. Every single page, every single navigation link, every single product.  Everything was exactly the same, except the domain name.  Even the logo was the same.

We're not just talking about a scraped HTML site.  We're talking about everything. Including the member sign-up and sign-in forms, the member profile forms... They'd essentially stolen the entire legitimate site's identity and functionality!

Stop, Go Back, Start Again

Back in the day, when I carried a badge, and a gun, I was trained in the art of searching suspects.  We were taught that when searching someone, if you come across a weapon, you stop and start your search over.

It's what I was taught.  It's what I did the time I had to confront someone who had been flashing a pistol at a beer festival when I was stationed in Germany.

There I was, on the sidewalk; suspect face down on the ground, my knee pushed into his lower back, my .45 pointed at his head.  Adrenaline pumping through me faster than fuel passes through a jet engine, as one hand did the searching.

And after finding the pistol he'd buried in his pocket, on that second pass, I found a knife I'd missed the first time.*

The point of starting over?  Simple.  As much as you think you found everything the first time, the moment you hit the jackpot, if you stop and start over, you're more likely to be even more vigilant.  More on the alert.

For this situation, the audit,  it paid off too when, during my second soft-eyes go-round, I found ANOTHER site with too coincidental a domain name.  And THAT site's inbound links ALSO pointed to internal process pages. And when I went to THAT site, I saw ANOTHER COMPLETE DUPLICATE of the entire site.

The Bigger Problem Uncovered

Scraper sites are a bane, a thorn, and a headache all rolled into one big ugly ball.  Sure, they can result in extra inbound links.  And most of the time, those are harmless.

But in this situation?  It was the worst of the worst. Not just a duplicate content issue.

Whoever pulled this one off, didn't just scrape - they spoofed.  Aanyone going to one of those sites would click on any link they wanted anywhere in the navigation or inside the content, and they'd go to another page on that spoofed site.  Except for those links that, for some reason, had been overlooked (buried deep within the site themselves) - the ones that alerted me to this problem.

Where this gets nasty is in the fact that we're talking about eCommerce. Credit card information.  Mailing address information. User login and Password; a lot of people use the same on every other site they visit.  And that, my friends, is a big problem. Epic.

Lawyers and corporate executives were brought into the case, as was the registrar and the domain host.  In short order, both sites were taken down.  Beyond that I can't discuss the case. (don't you just hate when that happens?) Besides, that would require a book.

Forensic SEO Matters

By taking the soft-eyes approach when your eyes gloss over as a result of trying to see every tree in the forest, you're more likely to see patterns and shiny objects that stick out. It helps you be more efficient,  saving you from spending too much time reviewing any individual aspect on your checklist.

You may not ever stumble on something truly criminal.  Heck - I've only come across a total of three situations that qualified as criminal activities in the entire ten years I've been doing SEO. But you will start to spot more common "that's odd…" things to investigate.  Like how some SEO "professionals" bury links inside the code, pointing to their own sites, or to their client's sites.  Links that might not pop out at you because the visible text in the browser doesn't reveal them. People leaching off of unsuspecting site owners, for gray hat or black hat reasons.  Or malicious reasons - like the times I've found malicious code deep within what would initially appear to be endless boring JavaScript.

And who knows - you might uncover a crime syndicate that gets you on the cover of Master Detective!  🙂

________________

*In case you're wondering, that event actually occurred during my last year in-country while I had been on duty as an M.P. and it's stayed with me as vivid as if it were last night, even though the year was 1982.