Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Search Spammers Hacking More Websites

The head of Google’s Web-spam-fighting team warns that spammers are increasingly attacking websites.

The head of Google’s Web-spam-fighting team, Matt Cutts, warned last week that spammers are increasingly hacking poorly secured websites in order to “game” search-engine results. At a conference on information retrieval, held in Boston, Cutts also discussed how Google deals with the growing problem of search spam.

Search spammers try to gain unfair prominence for their Web pages in search results, thereby making money from the products that these sites offer or from advertising posted on them. The practice, also known as “spamdexing,” exploits the way search engines’ algorithms figure out how to rank different pages for a particular search query. Google’s page-rank algorithm, for instance, in part gives prominence to pages that are heavily linked to other material on the Web. Spammers can exploit this by adding links to their site on message boards and forums and by creating fake Web pages filled with these links. Garth Bruen, creator of the Knujon software that keeps track of reported search spam, says that some campaigns involve creating up to 10,000 unique domain names.

“We’re getting better at spotting spammy pages,” said Cutts after his talk, adding that spammers are increasingly hacking legitimate websites and filling their pages with spam links or redirecting users to other sites.

“As operating systems become more secure and users become savvier in protecting their home machines, I would expect the hacking to shift to poorly secured Web servers,” said Cutts. He expects “that trend to continue until webmasters and website owners take precautions to secure Web-server software as well.”

“I’ve talked to some spammers who have large databases of websites with security holes,” Cutts said. “You definitely see more Web pages getting linked from hacked sites these days. The trend has been going on for at least a year or so, and I do believe we’ll see more of this.”

Bruen agrees. “We’ve seen an increase in spam e-mail and spam domains that not only sell illicit products, but that attempt to download malware and infect the visitor’s PC,” he says. Such malware could use an unknowing victim’s computer to send out e-mail spam.

“It really is an arms race,” says Daniel Tunkelang, one of the conference organizers and the chief scientist at search company Endeca.

To prevent such attacks, Cutts recommended that anyone running her own website regularly patch the Web server and any software running on it. “In the same way that you wouldn’t browse the Web with an unpatched copy of Internet Explorer, you shouldn’t run a website with an unpatched or old version of WordPress, cPanel, Joomla, or Drupal,” said Cutts. He also suggested that users hand over management of Web software. “Using a cloud-based service where the server software is managed by someone else can often be more secure,” he said.

During his talk, Cutts also explained that Google’s efforts to identify dubious Web sites now include parsing the JavaScript code that underlies pages. Code may contain hidden instructions that record users’ data, for example.

“It wasn’t obvious to me that Google can do this,” says Endeca’s Tunkelang. “And apparently some spammers were saying that Google can’t do that.”

Cutts noted that spammers and hackers are also finding new ways to spam, with the rise of social networking sites like Facebook and Twitter. These sites “bring identity into the equation, but don’t really have checks to verify that a profile or person sending you a message is who you think they are,” said Cutts.

“Authentication [across the Web] would be really nice,” says Tunkelang. “The anonymity of the Internet, as valuable as it is, is also the source of many of these ills.” Having to register an e-mail before you can comment on a blog is a step in this direction, he says, as is Twitter’s recent addition of a “verified” label next to profiles it has authenticated.

Danah Boyd, a Microsoft Research scholar who studies social media, suggests that spammers take advantage of the fact that people don’t always adhere to the rules on social-networking sites–for example, they sometimes provide fake information about themselves. “The variability of average users is precisely what spammers rely on when trying to trick the system,” says Boyd. “All users are repurposing systems to meet their needs, and the game of the spammer keeps changing. That makes the work that Matt does very hard but also very interesting.”

Couldn't get to Cambridge? We brought EmTech MIT to you!

Watch session videos here
Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.