Author Topic: How are they redirecting this site?  (Read 4393 times)

0 Members and 1 Guest are viewing this topic.

Offline SirKonstantine

  • Newbie
  • *
  • Posts: 23
  • Liked:
  • Likes Given: 2

Press Esc to close
How are they redirecting this site?
« on: April 05, 2014, 11:58:40 pm »
Sorry for sounding noob but I'm completely lost as to how this site is being redirected.


From Google US, #3 for me is earthbalance.com. The redirect will only occur when your referrer states that you are from google.com (i've tried disabling referrer and it doesn't work. I also tried logging in via google.ca and it doesn't work).


The link is
Code: [Select]
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CF8QFjAC&url=http%3A%2F%2Fwww.earthbalance.com%2F&ei=nX9AU8mGE-bKsQTWg4JY&usg=AFQjCNG4ltO8k9DScolVsPHuWroJ2yJyVQ&sig2=CSYup-05hXvBB2Bsp3_MMg

The head request states:
Code: [Select]
Request URL:
http://daymoney.co.uk/xxnn/in.cgi?5&parameter=
Request Method:
GET
Status Code:

302 Found


so how are they filtering who is being redirected and why does it only work when I have javascript on and http referrers on? I looked thru their code and don't see any mention of daymoney.co.uk so I'm guessing its obscured somewhere.





Uploaded with ImageShack.us

Offline CCarter

  • CCarter is Banned for stealing personal data and being a liar
  • Hero Member
  • *****
  • Posts: 562
  • "Nobody bans Ccarter"
  • Liked:
  • Likes Given: 54
Re: How are they redirecting this site?
« Reply #1 on: April 06, 2014, 02:43:17 am »
Basic javascript redirect. the in.cgi file determines where you are going to be sent to. It only works when you have javascript on since it's a javascript redirect. And they are detecting whether you are coming from Google or not. If from Google then redirect, if no google, no redirect. Another layer of security for them not to get caught when a person visits and sees nothing wrong with the page.

Offline SirKonstantine

  • Newbie
  • *
  • Posts: 23
  • Liked:
  • Likes Given: 2
Re: How are they redirecting this site?
« Reply #2 on: April 07, 2014, 01:14:11 am »
So let me see if I'm comprehending this correctly. On earthbalance.com, they have a server side file that says "if you come from google, redirect you to daymoney.co.uk" and on daymoney.co.uk, they have the in.cgi file that redirects you to the final landing page.

I looked through earthbalance's source and couldn't fine any mention of daymoney.co.uk or in.cgi so I'm guessing it has to be a server side file that's redirecting you.

Another question, how they get the title to be "Payday loan USA! Get Money in 10 Minutes" on google when, if you go to earthbalance.com directly, the page's title tag is something totally different? The google cache of the homepage looks like this:





Uploaded with ImageShack.us


so I'm guessing there is a server side rule that is showing Googlebot a different version of the homepage?


[/code]http://earthbalance.com/index.php?option=com_content&view=article&id=71&Itemid=35
Code: [Select]
[font=Verdana][size=78%]
[/font][/size]
[font=Verdana][size=78%]given that their URLs are like that, I'm guessing the person who I'm studying used a SQLi to get access to the site, added the new rules to show google bot a different version of the homepage as well as redirect Google traffic to the payday loan site.[/font][/size]

Offline CCarter

  • CCarter is Banned for stealing personal data and being a liar
  • Hero Member
  • *****
  • Posts: 562
  • "Nobody bans Ccarter"
  • Liked:
  • Likes Given: 54
Re: How are they redirecting this site?
« Reply #3 on: April 09, 2014, 12:52:31 pm »
Yeah, something like that. basic cloaking...

Offline JellyHumor

  • Simple marketer
  • Newbie
  • *
  • Posts: 3
  • Gender: Male
  • Liked:
  • Likes Given: 0
Re: How are they redirecting this site?
« Reply #4 on: April 16, 2014, 08:49:34 am »
yeah, standard method for payday niche  ;)
not really a VIP

Offline tgk

  • Newbie
  • *
  • Posts: 2
  • Liked:
  • Likes Given: 0
Re: How are they redirecting this site?
« Reply #5 on: May 09, 2014, 01:24:02 am »
Exactly what I'm trying to figure out as well. Anyone into the extreme side of blackhat SEO? :)

Offline CCarter

  • CCarter is Banned for stealing personal data and being a liar
  • Hero Member
  • *****
  • Posts: 562
  • "Nobody bans Ccarter"
  • Liked:
  • Likes Given: 54
Re: How are they redirecting this site?
« Reply #6 on: May 09, 2014, 02:22:42 am »
You talking about Darkhat SEO?

Offline seolion

  • Newbie
  • *
  • Posts: 40
  • Liked:
  • Likes Given: 3
Re: How are they redirecting this site?
« Reply #7 on: May 09, 2014, 02:25:40 am »
Sick I've never seen a redirect done like this! Geeking out right now!


Anyone got any interesting reads to point me to on the payday niche? Not interested in getting into it tbh, too competitive for my blood, but looks like a great niche to read some case-studies on for learning.


If not I'll just have to do some digging on their sites myself  ::)

Offline thedorf

  • Newbie
  • *
  • Posts: 27
  • Liked:
  • Likes Given: 0
Re: How are they redirecting this site?
« Reply #8 on: May 10, 2014, 09:27:04 pm »
I must be missing the big picture here.  I see reference to a SQL injection, basically gaining illegal access to a website that is cloaked to make it rank for payday loans which in turn redirects to a money site if the traffic comes from Google to the illegally accessed website.

Why even mess with a SQL injection to begin with?  Is the money-maker capitalizing on the established website's backlinks and DA/PA/whatever to help it rank faster?  Is that what you get with this scenario?

Offline CCarter

  • CCarter is Banned for stealing personal data and being a liar
  • Hero Member
  • *****
  • Posts: 562
  • "Nobody bans Ccarter"
  • Liked:
  • Likes Given: 54
Re: How are they redirecting this site?
« Reply #9 on: May 10, 2014, 09:46:57 pm »
Why even mess with a SQL injection to begin with?  Is the money-maker capitalizing on the established website's backlinks and DA/PA/whatever to help it rank faster?  Is that what you get with this scenario?

Yes. They are using the authority of the website to rank for the competitive term.

Offline Agent Blackhat

  • Administrator
  • *****
  • Posts: 679
  • Gender: Male
  • Merely the facilitator
    • Agent Blackhat SEO Blog
  • Liked:
  • Likes Given: 90
Re: How are they redirecting this site?
« Reply #10 on: May 15, 2014, 10:02:09 am »
Do you think the method of redirecting makes a difference? I've not used a javascript redirect more than a couple of times and I couldn't say for sure if it passed link juice.

Offline CCarter

  • CCarter is Banned for stealing personal data and being a liar
  • Hero Member
  • *****
  • Posts: 562
  • "Nobody bans Ccarter"
  • Liked:
  • Likes Given: 54
Re: How are they redirecting this site?
« Reply #11 on: May 17, 2014, 08:55:11 pm »
The purpose of the Javascript is to NOT to pass link juice, therefore the spammer can switch the endpoint anytime, and Google "doesn't detect it".

Offline lucky31337

  • Newbie
  • *
  • Posts: 19
  • Liked:
  • Likes Given: 0
Re: How are they redirecting this site?
« Reply #12 on: May 17, 2014, 11:09:28 pm »

I have a background in infosec/penetration testing, and information retrieval ...
The joomla sites aren't using sql injection attacks or cross-site scripting vulns.


However, with that being said... CMS's like wordpress and joomla need to give a damn about setting proper file permissions on directories.
google "Index of " "backup.sql" and you'll see people's wordpress blog/website backups sitting there with database dumps....

On another topic,there is one person currently redirecting via an interesting method.


setting an iframe script source to another page, and in this page js redirecting the parent page from within.


how this differs from a standard redirect is that it actually allows content to be printed in the http response and then redirected


as you can see here:

HTTP/1.1 200 OK
Date: Thu, 15 May 2014 08:04:04 GMT
Server: Apache
Last-Modified: Thu, 08 May 2014 07:17:24 GMT
ETag: "4d5a9f4-2507-45c7e900"
Accept-Ranges: bytes
Content-Length: 9479
X-Powered-By: PleskLin
Keep-Alive: timeout=3, max=32
Connection: Keep-Alive
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-language" content="en"/>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Fast Pay Day Loans | Get Fast Cash In Your Account TODAY!</title>
<meta name="description" content="Need quick cash? Payday loans can be in your account today from £80 up to £1000 with no credit check" />
<link rel="stylesheet" type="text/css" media="all" href="css/style.css" />
<link rel="shortcut icon" href="images/favicon.ico" />


<link rel="stylesheet" href="css/jquery.ui.all.css"/>
<link rel="stylesheet" href="css/style_2.css"/>
    <style type="text/css" >
   #demo-frame > div.demo { padding: 10px !important; };
   .style1 {
   color: #00A0E1
}
    </style>


<script type="text/javascript">
      document.write('<iframe width=1 height=1 src=image.php></iframe>');
   </script>
</head> 






<div id="maincontainer">


    <div id="header">
      <img src="images/secure-icon.png" alt="Pay day Loans" title="Payday Loans" border="0"
class="secure">
      <img src="images/logo.gif" alt="Fish 4 Payday Loans" title="Payday Loans No Credit Check" width="577" height="70" />  <>
<div class="spacer"><>


        <div id="nav">
                        <ul class="tabs">
                            <li><a href="/" title="Payday Loans" class="active">Home[/url]</li>
                            <li><a href="apply.html" title="To get payday loans from snake payday" >Apply Today[/url]</li>
                          <li><a href="how-it-works.html" title="Complete Your Details">How It Works[/url]</li>
                            <li><a href="contact.html" title="Contact us for instant payday loan">Contact[/url]</li>
                        </ul>   
               <>   
<div id="body">


which is



HTTP/1.1 200 OK
Date: Sat, 17 May 2014 22:08:25 GMT
Server: Apache
X-Powered-By: PleskLin
Keep-Alive: timeout=3, max=32
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 138


<script language="JavaScript" type="text/javascript">
if (self != top) {
parent.location.href='http://www.paydaypanda.co.uk/';
}
</script>

Offline lucky31337

  • Newbie
  • *
  • Posts: 19
  • Liked:
  • Likes Given: 0
Re: How are they redirecting this site?
« Reply #13 on: May 17, 2014, 11:10:59 pm »
I do know though that this type of link cloaking is several orders of magnitude harder to detect, especially when coupled with user agent and ip checking.

Offline hitman-zone

  • Hero Member
  • *****
  • Posts: 517
  • MadvillainSEO
  • Liked:
  • Likes Given: 68
Re: How are they redirecting this site?
« Reply #14 on: May 18, 2014, 04:29:52 pm »
His redirection is hidden into CSS files, so its easy to read where his stuff redirecting, and I guess he use a kind of masking requests based on IP so Google only will see where are linked to but you can't and also Google can't see that the redirection is pointing to a payday site and when you see the page will redirect you to the money site.

The owner is a hard ass mothafucking hacker, so if you catch header you would notice changes.

If I'm wrong please correct my mistakes.

Offline Mranonomoose

  • Newbie
  • *
  • Posts: 10
  • Liked:
  • Likes Given: 0
Re: How are they redirecting this site?
« Reply #15 on: May 20, 2014, 02:22:53 pm »


go to Google.com
search : ?p=online-slots


<$1alt="" title="" onresizestart="return false;" id="smiley__$2" style="padding: 0 3px 0 3px;" />


« Last Edit: May 20, 2014, 02:30:15 pm by Mranonomoose »

Offline lucky31337

  • Newbie
  • *
  • Posts: 19
  • Liked:
  • Likes Given: 0
Re: How are they redirecting this site?
« Reply #16 on: May 21, 2014, 03:37:26 pm »
Guys I run my own distributed crawler as well, ill make you guys a deal. If you supply me a specific/interesting footprint of a link spammer/hacker i'll reverse crawl his entire network and post it up here for you... in exchange I just want one footprint for that same niche that returns high quality pages

Offline charto911

  • Newbie
  • *
  • Posts: 9
  • Liked:
  • Likes Given: 0
Re: How are they redirecting this site?
« Reply #17 on: May 23, 2014, 05:44:00 am »
Sorry for sounding noob but I'm completely lost as to how this site is being redirected.


From Google US, #3 for me is earthbalance.com. The redirect will only occur when your referrer states that you are from google.com (i've tried disabling referrer and it doesn't work. I also tried logging in via google.ca and it doesn't work).


The link is
Code: [Select]
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CF8QFjAC&url=http%3A%2F%2Fwww.earthbalance.com%2F&ei=nX9AU8mGE-bKsQTWg4JY&usg=AFQjCNG4ltO8k9DScolVsPHuWroJ2yJyVQ&sig2=CSYup-05hXvBB2Bsp3_MMg

The head request states:
Code: [Select]
Request URL:
http://daymoney.co.uk/xxnn/in.cgi?5&parameter=
Request Method:
GET
Status Code:

302 Found


so how are they filtering who is being redirected and why does it only work when I have javascript on and http referrers on? I looked thru their code and don't see any mention of daymoney.co.uk so I'm guessing its obscured somewhere.





Uploaded with ImageShack.us



So with an industry that was as ripe and plentiful with affiliate payouts as the online payday loan industry you will find tons and tons of slightly shady things like this. I noticed this getting extreme last year and posted about it and was filled in that it was so 2008 (I never really followed payday loans) so didn't notice it but you will find sometimes that half of the front page are tricky redirects like this through authoritative sites.

Offline hitman-zone

  • Hero Member
  • *****
  • Posts: 517
  • MadvillainSEO
  • Liked:
  • Likes Given: 68
Re: How are they redirecting this site?
« Reply #18 on: May 23, 2014, 06:21:00 pm »
Basically he redirect based on user agents, he got a list into his site structure.
« Last Edit: May 23, 2014, 06:38:01 pm by hitman-zone »