Ugg-ly exploits

by Jim December 4, 2014

Out of the blue the other night, an SEO mate contacted me and said he had a good story. I’ve known Chris for years, formerly of Melbourne now in Hong Kong. Chris told me about his Melbourne mate who retailed Ugg boots. It turned out that when you Googled his brand his site had disappeared from the search results.

Melbourne Retailer SEO
Melbourne Retailer SEO Dies

The number one result in it’s place was a Portuguese music site that had completely ripped off his entire site. Nice work Google. Google should penalise itself for low quality. So Chris and I checked the usual suspects like site downtime etc. but it quickly became obvious that this was no common misconfiguration or stuff up. This Melbourne retailer had been targeted for his traffic. His Brand traffic was getting hijacked.

Black Hat SEO

Black Hat SEO is an oft overused term these days. People will call an SEO Black Hat if they do a back linking campaign. Traditionally it was a label reserved for the more clever and clandestine techniques. This was one such technique. This smelled like cloaking (cue dramatic music). Cloaking gets its name from hiding or cloaking the real web page from Google and serving up something very different to the users than what Google sees. In this example, the portuguese domain, had within it the Urban Ugg Shop’s entire site.. according to Google anyway. When you clicked on the link shown below you were not take to a copied page inside Fazmusicalboa.com though. You were redirected off to http://www.chassuresugg2014fr.com/ another ugg boot site written entirely in French covered in a well know Ugg brand.

Ugg Australia Rip Off Site
Ugg Australia Rip Off Site

It turned out the domain was registered to someone named Ming Wu in China. Our team have since checked the domain details and the phone number and addresses attached to it are all of course fake.

But Wait There’s More

I thought it was unlikely that a sophisticated trick like this would be targeted at a single site. If you are going to go to all this trouble you may as well as make it scalable. So then I did the search inurl:wikihow1.asp and found a heap of other sites compromised with the same exploit. All Microsoft server installs. Here are some of the installs I found that had been compromised:

Windows server 2008. IIS 7.5,

Windows 2000 Microsoft-IIS/5.0,

Windows Server 2003 Microsoft-IIS/6.0,

Windows Server 2012 Microsoft-IIS/8.0

I also found several companies having the content ripped off and rankings disappear. I spoke with Tito Gonzalez of Ukk King in QLD who told me about Ugg Australia and that it was a very well known brand. His own site had been ripped off at Sopers Hole Marina site.

brisbane-retailer-ugg-king
Brisbane Retailer Ugg King Brand Hijack

Once again if you click on the first link you get 302 redirected to another site http://www.2014sheepskinbottes.com/ which once again is an Ugg Australia rip off owned by the fictional Ming Wu. You have to be a little clever to achieve this sort of mass cloaking not too mention the infection of third party sites. At the very least you have to be very organised. As I point out in today’s video you’d have to be using something like @fantomaster IP grabber or similar tool to achieve this. Cloaking relies on you knowing when the Google bot is coming to your site. There are tools that will mimic a user agent but that is not the same as identifying yourself as coming from an address that has previously been identified as owned by the Googlebot. Scraping a site though and then injecting it into another site AND cloaking a redirect is not something I have seen on this scale before, although I’m sure it goes on all the time.

Fox Rothschild LLP Gets Hit

The selection of targets for this exploit looks like it was based on search results for different Ugg categories. The reason I say that is that one site that was ripped off was a US law firm called Fox Rothschild. They have a Fashion Law (who even knew that category existed!) blog maintained in the most part by Staci Riordan whom I reached out to on Twitter for comment. She has since moved on to another law firm though. In the majority of these instances, Google has cached the ripped off pages even though the user gets redirected to the Ugg Australia site maintained by the evil cloaking overlord Ming Wu. This is quite a comprehensive exploit so today’s video is a little longer than usual.
UPDATE: Just did a quick inurl:ugg.asp search. Over 440,000 results – this is the tip of the iceberg.
UPDATE: It turns out that this is probably severely affecting Ugg Australia traffic. For the search “Ugg Infants Erin 5202 Black” UA are ranking 17 and all the results above them look like hacked sites. Also here are some of the fake final destination sites.
www.outletuggus.com
www.shoestys.com
www.shoesdt.com

« | »[fbcomments]
Processing...
Thank you! Your subscription has been confirmed. You'll hear from us soon.
ErrorHere