With some fairly rudimentary search skills it is possible to both find and monitor for compromised web-pages and parasite SEO spam.
Over the last 10+ years I have contacted hundreds of websites, schools, hospitals, businesses and even UK government organisations to let them know they have been hacked. In many of these examples the hacks have been present for months, even years prior to me contacting them.
Previously I have had to contact both the British Board of Film Certification (BBFC) and NationalArchives.gov.uk to let them know they had been compromised and were serving SEO parasite pages promoting spam.
In the case of the BBFC they were promoting fake Nike Air trainers, whereas the National Archives were hosting content that linked through to a website purporting to sell “cheap NFL jerseys”.
In both of the above examples, an email to the relevant webmasters at the organisations yielded a prompt and thankful response, and the infections were removed within hours.
This leads us onto a couple of points we should discuss before getting to the actual search operators we will use to find hacked sites.
Be careful reporting hacks: Organisations are not always thankful
You would think most organisations would be grateful to find out that they have been hacked, so they can fix the vulnerability that led to them being compromised and repair any damages.
However this is unfortunately not always the case.
Some people can respond with suspicion (which is reasonable), but worse, desperate IT/web development staffers can sometimes – in attempt to deflect blame from any potential short-comings that resulted in the site they looked after getting hacked – point the finger of blame at the good Samaritans who flagged up the hack in the first place.
For this reasons, when contacting sites it is important to be: friendly, brief, and to avoid any language which could appear hostile or threatening.
In my contact messages I will usually ask them to get help from the people tasked with looking after their website to investigate and repair the damage, so that I do not come across as someone looking for any kind of paid work – or even worse – blackmail!
For the above reasons, I find phone calls can often be much more effective than sending an email when contacting organisations – you can explain the situation in a friendly manner which is less likely to be misinterpreted as malicious.
Take care when viewing hacked web pages
Hacked web-pages are by their very nature compromised, so could include malware, or redirects/links to other dangerous sites.
For this reason, I would never recommend viewing a hacked web page in a browser on your normal computer or phone.
What is a Google Dork?
A Google Dork is a search operator or series of search operators that can be used to find sensitive information, vulnerabilities or hacked content.
You can view a list of Google Dorks on the Exploit DB website.
Finding Hacked Sites Using Common Spam Keywords
Blackhat SEO hackers often target specific sets of high value keywords. Searching for these keywords can enable us to find infections on the web by looking for unnatural phrases on specific domains or TLDs.
Some example high value spam terms:
Viagra, Cialis, Cheap NFL Jerseys, Louis Vitton, Michael Kors, Nike Air Max
Let’s walk through an example.
UK government and local authority websites are found on
gov.uk domains in the UK, and other than some exceptions should be unlikely to feature commercial and high value spam keywords. Similar is the
nhs.uk domain space – for NHS organisations;
sch.uk for academia and schools; and
org.uk – for organisations.
Tip: When searching across the .gov.uk domain space often it can be useful to add in an operator that removes results from data.gov.uk, which are rarely useful to see:
-inurl:data.gov.uk. Similarly it can be useful to remove results from beta.companieshouse.gov.uk – which has a listing for every company in the UK.
First let’s search across gov.uk domains, using the seed term ‘nike air max’.
site:gov.uk 'nike air max'
Here are the current results for this search:
Looks like abingdon.gov.uk has had some issues. It would be unusual for a local council to sell Nike Air Max trainers.
Viewing the Google cache we can see that as of two days ago (Feb 27th) the pages were redirecting Googlebot to a site purporting to sell Nike Air Max trainers. In this case the site may potentially be legitimate, though in many situations the target site may be conducting credit card fraud or sell counterfeit goods.
Checking and Monitoring Sites for SEO Spam & Hacks
Using a Google Dork it is possible to check and monitor a specific site for SEO spam, whether in the form of comment spam or hacks.
By combing the drainpipe OR operator and different spam terms into one Google search you can check for potentially dozens of different spam terms at once.
For example (replacing your own domain after ‘site:’):
site:example.com "nike air max" | "michael kors" | "cheap nfl" | "buy pills"
You could add this search into a Google Alert, a Python script, or other automated tool to get regular updates.
Update: We reported the hack to Abingdon Council on Monday morning, who promised to investigate.
Update 2: Another hack reported – this time with Glastonbury council.