Black Hat DomainerBlack Hat Techniques for Domains

Patrick, from Blogstorm posted about the recent filings in the eBay Inc. v. Digital Point Solutions, Inc. et al case whereby the plaintiff eBay Inc. alleged Defendants engaged in cookie stuffing to defraud Plaintiff. So far 80 documents have been filed in the case but the most interesting is number 68 which is the Second Amended Complaint against all defendants. Filed by eBay Inc.. (Eberhart, David) (Filed on 3/26/2009) (Entered: March 26, 2009).

Some quotes from this Second Amended Complaint which mentions Digital Point Coop Network are very interesting:

eBay placed a special “gif” image on the eBay.com home page. This special gif was served to any browser receiving an eBay cookie. eBay had observed that Defendants’ cookie stuffing schemes caused the user’s browser to be secretly redirected to eBay’s home page for only a short period of time—sufficient time for the cookie to be stuffed and little or no more.

The cumulative results of the investigation demonstrated that over 99% of the traffic directed by DPS and KFC during the time period of the investigation did not receive the gif image, and was therefore fraudulent cookie stuffing traffic.

This is very interesting for all you cookie stuffers out there: eBay has, in the past or still, used some code on his own page to detect fraudulent cookie stuffing.

What they reveal is the very common one pixel tracker method, but their tactics might have evolved since 2007.

So, forget about those fake image and similar stealth one time hit cookie stuffing scripts. On eBay you have to iframe load the whole page and preferably, do some random navigation.

Every REAL Black Hat Seo who lives up to its name has his own botnet, in order to easily link spam or social vote (among other actions). This post will teach you, in detail, how to build one of your own!

What these bots do is they receive orders and act accordingly. Either, visit a simple url, fill a form or click on a button.

So, what do you need to code? You need to code a bot that:
- Self extracts itself when running another program and quietly installs
- Runs hidden every time the PC starts
- Periodically checks a given URL for new orders
- Executes orders

There is however some ethic involved! What it DOES NOT do:

- No personal information what-so-ever is collected from the zombie PC. It means behaving better than most spyware and even G itself which calls home on Chrome with all your sexual fetishes.
- Absolutely no harm is done to the zombie. Even the resources’ usage is kept low. (memory and cpu)
- It will self-destruct in x days.

First select your language: Visual Basic, Delphi or C. Forget .net or C#. Anyway this post will be about what to call and where, so it’s good for all languages.

It is no longer possible (since XP) to hide (the easy way) an application from the service tab, so be ingenious on naming it. You can and should however hide it from task list applications. Doing this is easy on VB using Me.Hid. On C use SW_HIDE. When I say ingenious I mean naming it after something an average user will believe its part of windows.

First thing the bot does is to check if this is a first time run. If it is, then it must install. You do this by checking the registry key. If it’s already there, it’s not a first time run. Use wscript.shell to read and write to the registry. It’s the most reliable and safe way to do it these days.

You will create a key on \Software\Microsoft\Windows\CurrentVersion\Run so that it runs every time the PC starts. Don’t use HKEY_LOCAL_MACHINE, because you will need admin rights to write there, use HKEY_CURRENT_USER instead.

An important thing to notice is that you can’t use the string “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” on your app. It will get detected by most recent antivirus. There’s however a cool way to trick them: use some very simple encrypt algorithm and decode the string only at run time. A simple replacement on “o” for “0” will do the trick.

Back on track, if the key is not there, it’s a first time run and you must install. When installing you need to extract the program. You must also let the parasite program run. (They both are the same on this example)

Where will write the app to? Forget about writing to c:\Program Files\ or even c:\. Everything you will get on VISTA is virtual paths. Use CSIDL_APPDATA to get a nice real path like: C:\Users\admin\AppData\Local.

(Instead of checking the registry key, you can also check if your program is already dropped. If it’s there, it’s not a first time run)

As it’s a first time run, let’s install. Install has three steps. Write the key to the registry as explained above, copy the program itself to the path you found, and rename it (don’t forget windows runs anything, it does not need to be an .exe) flag it to system and hidden, and finally do something to entertain the victim. You can shell call anything, from ie with a page to painter with an image.

That’s it, we’re set to go. Next time the user restarts it will load our bot.

Now how do we make contact? Well, forget about Mail and FTP. You would be noticed in no time. You should always hit a web page: either to collect orders or send reports.

Best way to do this is using Microsoft.XMLHTTP’s msxml2.xmlhttp object and the Dom document: MSXML2.DOMDocument. Simple, fast, asynchronous and stealth.

And how do you know user is connected? Well, again forget about checking the InternetGetConnectedState on wininet.dll. You have to do the most basic of all the things: use Microsoft.XMLHTTP object to hit Yahoo.com and see if it’s there, then you’ll know. (Don’t hit Google.com)

Now put it on a timer and check your site.php page to read instructions from time to time. These instructions can also include a self destruction order! In that case, you would delete the key and that’s it. You can also delete the app itself, but it’s more complex. No need to do that, it will just lay there forever.

On part II of this tutorial we will see how to pass orders to the bot and, most important, how to get the bot to obey. It’s fairly simple and best of all, on all sites we hit, we will be behaving just like if were the normal user of that PC surfing and voting on pages and social networks. No need to melt our brain on complex Javascript routines with dubious results and that are dependent on XSS holes that get patched on no time these days.

Now imagine you were about to launch a new website. How about having all your bootnet to vote for it o Digg, Stumble it, tweet it, and link it all over? It would be great, wouldn’t it?

No, it would not. This is not the way it is done. You simply can’t raise head too much above water or you’ll get caught in no time. Will see how this is done in part two, but I think you must been having an idea about it by now.

Only 1000 new first members will get a prof free hosting account.

50 GB disk space;
500 GB bandwidth;
Support team 24/7 (chat, email and telephone)!
Unlimited domain management!
Unlimited Email boxes!
SPAM filter for your email;
Auto-responder;
Web-based email client;
POP/SMTP Access;
Unlimited FTP Accounts!
50 one-click programs including Joomla, Magento and etc.

Multiple server locations:
Bear (Great Britain)
Fox (Lithuania, Vilnius)
Wolf (Germany)
Ox (The Netherlands)

http://vip.host1plus.com/on-air/

€1 .com domains here: http://www.united-domains.de (IDNs also)

Free WP blog ON your domain here: https://panel.dreamhostapps.com/signup

No more excuses for not making money online. Hurry up, limited time and/or slots available.

Note: No affiliate bullshit links, just plain text clean links.

You have two days to register .es (spanish tld) domains at $1 each (pay with dollars) on Gandi.net, no strings attached. Don’t forget it’s also valid for idn.es domains.

You can get a free domain on Register using this link. Not sure about the strings attached on this one.

And now comes the Black Hat part: how about a nice free .edu wp blog just for you to have fun?

Godaddy and Dynadot (there may be others) run a very peculiar expired domain auctions service, which must not, in any case, be weigh against professional drop catchers like Pool or Snap.

Despite the “expired” label, they auction the domains before they actually expire. Domains get listed, domainers bid up their offers, best bid wins, receives a congratulation email and the domain gets pushed to the winner’s account.

What’s astonishing is what comes next: a new email is received saying the previous owner has renewed the domain. Say what?! He has renewed the domain I won?!

Who cares!? I don’t! I get all my domains at reg fee. So should you. Anyway, what’s important to note is that there’s a real Arbitrage Loophole potential in this: there’s a domainer wasting the domain (it let it expire) and a domainer (often several) ready to pay top dollars for it (some sale for the thousands)

Of course registrars are not THAT dumb and protect the whois data. But there are, at least, two ways to find the real owner of the domain:

- Searching on domainers forums for recent sales/appraisals threads on that domain.

- Using the whois history service provided by domaintools.com

So, it’s up to you to connect the remaining dots, but still, I advise you not to offer more than two years reg fee and only for the top auctions, in order not to raise many suspicions and keep yourself below the radar.

Blackhatworld forum has run a competition to rank #1 for the Google term “blackhatworld rocks”.

Guess what? The winner won using a perfect domain match. What have I been telling you lately about the power of a domain name.com?

Anyway, it’s a great spot to look for what’s currently passing link juice and what’s not, where to drop your links and where to parasite host. Despite the name of the forum, don’t expect too much hard core BHSeo, lol. Anyway, here you have some examples:

http://grazr.com/blog/wolvax
http://www.freewebs.com/blackhatworld-rocks/
http://blackhatworldrocks.vox.com
http://blackhatworldrocks.co.cc
http://www.merchantcircle.com/business/BlackHatWorld.Rocks.800-858-4854
http://hubpages.com/hub/blackhatworldrocks
http://www.xomba.com/blackhatworld_rocks_contest
http://newyork.backpage.com/GeneralCommunity/blackhatworld_rocks_/classifieds/ViewAd?oid=4989167
http://blackhatworldrocks.blip.tv/
http://nashville.backpage.com/GeneralCommunity/blackhatworld_rocks_seo_contest_/classifieds/ViewAd?oid=835349

You got your domains; you’ve developed some easy sort of MFA sites and guess what? Nobody pays you a visit.

Yes, you need some SEO. But as a Black Hat, I won’t give you the same build links and get some original on topic content. Of course that’s important, but let me tell you some new and still not overused tricks:

RSS

In case you still didn’t notice, Google Webmaster Tools now tracks the number of your RSS feed subscribers you have. And having a large subscription base can easily shoot your articles rankings up. The magic number seems to be at least 25 for most things; however, if you can get this number well over 50, it won’t be very hard to get highly competitive article themes way up in the rankings.

But how do I boost my subscriptions you now ask. No, it’s no good to Photoshop your feedburner widget. Instead, let’s try some online rss readers. Just create several Gmail accounts use each account to subscribe to your own rss feed. Use as many online readers, aggregators you may find like Netvibes. How do you think Shoemoney got that overnight boost on rss subscribers on the dispute with John Chow?

Feedburner hacked! from Boris Veldhuijzen van Zanten on Vimeo.

BOUNCE

Google is using a comprehensive measure of how of your pages bounce rate and takes into account when calculating your overall rankings. If you’re pages are bouncing over 80 percent of the time back to the search results, it’s highly likely that the rankings will either be demoted or drop off completely. Between 50 and 60 percent seems to be the average that keeps a site ranked and consistent. However, if you can get the site to bounce less than 20 percent, you’ll be performing in the top percentile and consistently rank well.

Again how can you improve your bounce rate you may ask? No, it’s not enough to show some great boobs! Instead you need to JavaScript disable the back button on your sites! That will prevent people from going back to the search results.

Browse the web for several ways to do this, here’s a nice one for Firefox from Jeremiah Grossman.
Homework: discover how Shoemoney does it for Opera… it’s on one of the .js files he loads…

FLOOD

The People Flood tactic, has been in use for a very long time now, and is still very effective. What this tricks does is simple: a bunch of people search for your keywords and clicks on your pages.

The best and most effective way to do this is using an iframed Google xss injection on a high traffic site. However nowadays it’s very hard to find a Google xss and the ones found stay unpatched for a very short time. But why do you need a xss? Because G now uses a token to track your cookie.

So that leaves you not many choices but to use cheap human labor. Amazon’s mechanical turk is one of the options.

In 2007, 3.8 billion searches were conducted on yellow pages sites as well as the local listings they provide to search engines such as Google, Yahoo and others. So what are the most popular things being searched for?

1. Restaurants
2. Physicians & Surgeons
3. Hotels
4. Auto Repairing & Service
5. Florists-Retail
6. Auto Dealers-New & Used
7. Dentists
8. Auto Parts & Supplies - New & Used
9. Beauty Salons (tie)
10. Hospitals (tie)

This list was put out by the Yellow Pages Association. The data was collected by Knowledge Networks/SRI.

Lyndon Antcliff recently helped a client achieve over 1500 inbound links in under a week with a story designed to grab attention.
The article - 13 Year Old Steals Dad’s Credit Card to Buy Hookers – appeared on money.co.uk as part of Lyndon’s linkbaiting campaign, and it was certainly successful.

The story soon appeared around the world. Digg users pumped it up to a total 2452 diggs, driving tons of traffic to the page. Then news outlets started leaping on the story. In Australia News.com.au, The Daily Telegraph, and more all publicized the story, driving hundreds of links and thousands of site visitors back. Back in the UK, best selling newspaper The Sun published the story in their pages. News services loved the story of what American teens can get up to. In the states, Fox News aired the story, later spread wide through YouTube.

But the whole article was fake. Now the fun part began. Lyndon couldn’t resist himself and made the classical mistake: gloating. On announcing the hoax on his own website, he created a buzz all over and the discussion is still going on how unethical the move was.

My intention is not to discuss if he was right or wrong, he ruined it all anyway, Matt spoke and so no linkjuice from Google now. The only, most important part of the puzzle was the domain name and no one seems to acknowledge this! Well, almost no-one.

On Sphinn story comments page, scroll down the page and you’ll find this:

[…]checked the originating website and saw it was money.co.uk and went ‘wow, it’s true.’ It’s there. Read the comments. There are close to 150 of them and only about five call it a fake. The rest want to canonize the kid. They discussed whether it was fake and decided it was true. Based on the website.”

Yes, but it was not based on the website, it was a decision based on the domain name! Solely based on the domain name! That finally brings me to the title of this post: how to successfully launch a website with a premium domain and only $100, with just two simple steps:

• 1. Write a funny fake on-topic story and publish it on the premium domain. You can also copy one already posted and give it a twist; TheOnion is a great place to get started looking for cool fake stories.
• 2. Buy some Diggs for the story. Current exchange rate is $1 a Digg. 100 Diggs will win the initial inertia and after that, reaching the homepage is easy. I want promise it would go Fox News or The Sun but, as seen on TV, your chances are very good.