Wow. SEO hacking. Very scary stuff, and if he hadn't been greedy, sounds like he would have gotten away with it.
SEO continues to both amaze and frustrate me. The more money that gets traded hands based on search, the more brutal and intricate the cheaters are going to become. A lot of the black hat stuff we see now is heavy-handed bullshit, but something like this, if done very carefully, would both be extremely difficult to detect and very lucrative. The canonical thing is smart as hell. You could make that change and, unless site owners specifically went looking for it, nobody would ever see. I could imagine hackers breaking into dozens or hundreds of domains and then auctioning off as very small number of SEO links. This would provide the maximum value for the minimal footprint on the site. Heck, take it up another notch and rent out the space.
It's very common and very old. Someone did this to a site I ran back in 2005. He made the mistake of creating a new account using his gmail address and his gmail password.
I logged back into his gmail account using this information [this was before the time that Google started to flag logins from unusual IP addresses] and found out that he was doing this as contract work for several legitimate companies.
There in the email were messages back and forth between himself and various marketing managers at those companies about sites he'd attacked and placed spam links in.
Have to ask what software you were using, that it was so easy to get his password from out of his login account. This must have been in the days before passwords were hashed or something?
Passwords were not hashed in the database, because it made no sense for me (as the site administrator) to do that. As the site admin it's entirely beneficial for me (not for you) to see your password.
Of course if you're the sort of user who uses the same password on every site, then it benefits you a little bit if the site hashes the password. The site admin or an attacker can still easily steal your password when you log in, so the benefit is small. But by doing this you're trusting every site, which is stupid.
Users should use a completely different, randomly generated password for every site, then whether or not the site hashes the password doesn't matter.
I would've liked to see an exact explanation of how the editor's account was compromised, because it's important to know whether or not thenextweb and other sites were compromised through a default-account-setting or because all of these sites happened to have an account with the same vulnerable password. Or did the hacker just attempt a brute attack against a huge swath of sites, and thenextweb and others were just a few that fell to it?
or he might have been writing an article in a Starbucks working on an open wifi.
Anybody who has Wireshark installed can go fish for passwords and other log in credentials in your local Starbucks!
When will people learn that an open Wifi is not secure!
(not claiming this is what actually happened here!)
There are a huge number of WordPress sites. TNW use the word 'Hacked' like it took some level of skill and you end your line with ... which implies a weakness in the software.
It is not the software here that is at fault. The lack of good information out of TNW along with the fairly ridiculous penultimate paragraph of drama would suggest it was them being lax with the security they had control of which caused this to happen.
Linking to a Packetstorm search does not show if core files are involved, if it is a plugin or if the report itself is invalid.
The other 3 are not exclusive to WordPress.
If you are right then each report on each site will tie it together. I say it will not because already you can see that no-one is pointing fingers at WordPress itself.
I found these through a fresher data source than SEOmoz. There may be more impacted (and might show what the security flaw is to someone more sophisticated than me).
Am I right in observing that this would be felony hacking in the US, the sort of thing that brings prison time? And he did it with links to his own site, so it's clear his identity as well. That doesn't seem too bright.
Disclaimer: I consider this act a crime and think the responsible person should be punished.
That said: Can we please stop this idea of dragging people into other countries (I guess there's one particularly eager doing so)? As long as we're not all on the same page about laws around the globe and while we still don't know what 'hosted in the US' means for a business, for example, I'd rather prefer sticking to local laws. These apply without a discussion. Laws of another country by default don't and I'd have a hard time understanding why this should change (a global nation with one book of law would change my mind here).
This is exactly the problem that is solved by an extradition treaty.
More often than not the alleged crime is a crime in both countries and so extradition is a reasonable approach to the problem.
I do agree that the Internet has created jurisdiction issues and criminal issues that aren't well covered by existing law/treaties.
I don't think the local/international dichomtomy you describe is as clear cut as you are asserting. Whenever you have international commerce you are going to have all sorts of activities that raise criminal or civil issues that can only be adjudicated via bi-lateral treaties. These issues exist whether the commerce is conducted in-person, by phone, by fax, by email, via HTTP, etc.
I think a 'global national with one book of laws' would create way more problems than it would solve and in any case isn't going to happen anytime soon.
> I do agree that the Internet has created jurisdiction issues and criminal issues that aren't well covered by existing law/treaties.
A big problem is that the US only needs "reasonable suspicion" when asking to extradite someone from England. But the UK needs "probable cause" when asking to extradite someone from the US. That means that in the UK the evidence is not tested before a Judge agrees to extradition, yet a US Judge tests the evidence before agreeing the extradition.
Babar Ahmed, held for 7 years in a UK prison without a trial, has asked to be tried in the UK. He ran a website that was (supposedly) pro-terrorist. The site was hosted in the US. The US wants to extradite him and try him in America.
This case is interesting because he's not a sympathetic character, yet he claims all he wants is a trial (in a UK court) and a sentence. And also because he's not free, he's been in prison for 7 years already, so it's not as if the UK is an easy option for him.
Well we almost have a global nation; we're down to basically 2 countries: the United States, and the countries that better do what the United States says or else.
Forget him being from Europe, even if he was American it would be tough to get law enforcement to investigate (presumably FBI). Unofficially, the bar is millions of dollars in loss before the Feds will allocate resources to a hacking crime.
so your solution is to waste a bunch of legitimate ad spend from a legitimate advertiser by sending illegitimate traffic and clicks to a hacker's site? What if the person dropping those links in those hacked sites wasn't actually the owner of the target site and he did that so someone like you would screw over all of the innocent parties who happen to involved?
This is a problem Google needs to fix, hackers aren't going anywhere and god knows teaching them a "lesson" isn't really a good solution most of the time, black hat morals being what they are.
My tongue-in-cheek idea was to buy him the traffic, not steal it from a legit campaign - Once G thinks you're a porn destination, I doubt very much you will index.
You're right, tho no serious solution there. It's more of a poke at a broken system that automatically ban-hammers good guys with the bad based on signals that totally miss bad actors like this guy.
Clearly the 'hacker' here has invested enough time to understand the system better than legitimate sites that have "wasted" their time trying to generate value for their users.
Based on the "Don't Be Evil: How Google Screwed a Startup" thread, the simple fix is to just start clicking on all his ads until Google bans his account lol. No need to extradite anyone.
This website overloads the left and right keys to move between articles, never mind that if the page is wider than the browser window you might want to scroll with the keyboard. Ew.
SEO continues to both amaze and frustrate me. The more money that gets traded hands based on search, the more brutal and intricate the cheaters are going to become. A lot of the black hat stuff we see now is heavy-handed bullshit, but something like this, if done very carefully, would both be extremely difficult to detect and very lucrative. The canonical thing is smart as hell. You could make that change and, unless site owners specifically went looking for it, nobody would ever see. I could imagine hackers breaking into dozens or hundreds of domains and then auctioning off as very small number of SEO links. This would provide the maximum value for the minimal footprint on the site. Heck, take it up another notch and rent out the space.