Black Hat DomainerBlack Hat Techniques for Domains

So you think you’re a real Black Hat Seo? Then, what does “SEO poisoning”, “SEO poisoned page” or “blackhat SEO kit” means?

Well, that’s what the other side calls out little tools. Here’s a translation so that you can read here or this nice new report from Shopos here: http://www.sophos.com/sophos/docs/eng/papers/sophos-seo-insights.pdf

• SEO page: Keyword optimized page
• SEO kit: Auto content creation script
• SEO poisoning: SEO optimizing a page
• SEO poisoned page: SEO optimized page
• Search engine crawler: Spider bot

Hey, Shopos,CA: Black Hat Seos are not crooks. 95% of the Black Hat Seos I know of don’t do malware. The security industry is looking at this in a completely wrong “poisoned” perspective.

These crooks are using Black Hat tools to get traffic, to find people, that’s all. Just as they are using everything else on the net that can bring them people, like mail spam, torrents, emule, instant messaging, whatever. Unless you think mail or IM are evil also?!

They are just playing Google. Why don’t you blame Google instead? You easily blame Facebook when it allows shitty app to spread malware. Now why is Google different? Not in traffic size, last time I checked.

They have created “Black Hat Seo” categories on their security blogs alongside with real bad stuff like Rootkits. I have to be honest in the end I can still take some advantage from this. I have subscribed to their RSS feeds and learned some new tricks, like the fake PDF which is a simple HTML with links (EVIL!), and that has been used lately to gain link juice from Scribd.

Security experts please realign your ideas correctly: one can put links anywhere, one can drive traffic for those links in many possible ways, what matters is what’s on the other side of those links!

Every REAL Black Hat Seo who lives up to its name has his own botnet, in order to easily link spam or social vote (among other actions). This post will teach you, in detail, how to build one of your own!

What these bots do is they receive orders and act accordingly. Either, visit a simple url, fill a form or click on a button.

So, what do you need to code? You need to code a bot that:
- Self extracts itself when running another program and quietly installs
- Runs hidden every time the PC starts
- Periodically checks a given URL for new orders
- Executes orders

There is however some ethic involved! What it DOES NOT do:

- No personal information what-so-ever is collected from the zombie PC. It means behaving better than most spyware and even G itself which calls home on Chrome with all your sexual fetishes.
- Absolutely no harm is done to the zombie. Even the resources’ usage is kept low. (memory and cpu)
- It will self-destruct in x days.

First select your language: Visual Basic, Delphi or C. Forget .net or C#. Anyway this post will be about what to call and where, so it’s good for all languages.

It is no longer possible (since XP) to hide (the easy way) an application from the service tab, so be ingenious on naming it. You can and should however hide it from task list applications. Doing this is easy on VB using Me.Hid. On C use SW_HIDE. When I say ingenious I mean naming it after something an average user will believe its part of windows.

First thing the bot does is to check if this is a first time run. If it is, then it must install. You do this by checking the registry key. If it’s already there, it’s not a first time run. Use wscript.shell to read and write to the registry. It’s the most reliable and safe way to do it these days.

You will create a key on \Software\Microsoft\Windows\CurrentVersion\Run so that it runs every time the PC starts. Don’t use HKEY_LOCAL_MACHINE, because you will need admin rights to write there, use HKEY_CURRENT_USER instead.

An important thing to notice is that you can’t use the string “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” on your app. It will get detected by most recent antivirus. There’s however a cool way to trick them: use some very simple encrypt algorithm and decode the string only at run time. A simple replacement on “o” for “0” will do the trick.

Back on track, if the key is not there, it’s a first time run and you must install. When installing you need to extract the program. You must also let the parasite program run. (They both are the same on this example)

Where will write the app to? Forget about writing to c:\Program Files\ or even c:\. Everything you will get on VISTA is virtual paths. Use CSIDL_APPDATA to get a nice real path like: C:\Users\admin\AppData\Local.

(Instead of checking the registry key, you can also check if your program is already dropped. If it’s there, it’s not a first time run)

As it’s a first time run, let’s install. Install has three steps. Write the key to the registry as explained above, copy the program itself to the path you found, and rename it (don’t forget windows runs anything, it does not need to be an .exe) flag it to system and hidden, and finally do something to entertain the victim. You can shell call anything, from ie with a page to painter with an image.

That’s it, we’re set to go. Next time the user restarts it will load our bot.

Now how do we make contact? Well, forget about Mail and FTP. You would be noticed in no time. You should always hit a web page: either to collect orders or send reports.

Best way to do this is using Microsoft.XMLHTTP’s msxml2.xmlhttp object and the Dom document: MSXML2.DOMDocument. Simple, fast, asynchronous and stealth.

And how do you know user is connected? Well, again forget about checking the InternetGetConnectedState on wininet.dll. You have to do the most basic of all the things: use Microsoft.XMLHTTP object to hit Yahoo.com and see if it’s there, then you’ll know. (Don’t hit Google.com)

Now put it on a timer and check your site.php page to read instructions from time to time. These instructions can also include a self destruction order! In that case, you would delete the key and that’s it. You can also delete the app itself, but it’s more complex. No need to do that, it will just lay there forever.

On part II of this tutorial we will see how to pass orders to the bot and, most important, how to get the bot to obey. It’s fairly simple and best of all, on all sites we hit, we will be behaving just like if were the normal user of that PC surfing and voting on pages and social networks. No need to melt our brain on complex Javascript routines with dubious results and that are dependent on XSS holes that get patched on no time these days.

Now imagine you were about to launch a new website. How about having all your bootnet to vote for it o Digg, Stumble it, tweet it, and link it all over? It would be great, wouldn’t it?

No, it would not. This is not the way it is done. You simply can’t raise head too much above water or you’ll get caught in no time. Will see how this is done in part two, but I think you must been having an idea about it by now.

Blackhatworld forum has run a competition to rank #1 for the Google term “blackhatworld rocks”.

Guess what? The winner won using a perfect domain match. What have I been telling you lately about the power of a domain name.com?

Anyway, it’s a great spot to look for what’s currently passing link juice and what’s not, where to drop your links and where to parasite host. Despite the name of the forum, don’t expect too much hard core BHSeo, lol. Anyway, here you have some examples:

http://grazr.com/blog/wolvax

http://www.freewebs.com/blackhatworld-rocks/

http://blackhatworldrocks.vox.com

http://blackhatworldrocks.co.cc

http://www.merchantcircle.com/business/BlackHatWorld.Rocks.800-858-4854

http://hubpages.com/hub/blackhatworldrocks

http://www.xomba.com/blackhatworld_rocks_contest

http://newyork.backpage.com/GeneralCommunity/blackhatworld_rocks_/classifieds/ViewAd?oid=4989167

http://blackhatworldrocks.blip.tv/

http://nashville.backpage.com/GeneralCommunity/blackhatworld_rocks_seo_contest_/classifieds/ViewAd?oid=835349

You got your domains; you’ve developed some easy sort of MFA sites and guess what? Nobody pays you a visit.

Yes, you need some SEO. But as a Black Hat, I won’t give you the same build links and get some original on topic content. Of course that’s important, but let me tell you some new and still not overused tricks:

RSS

In case you still didn’t notice, Google Webmaster Tools now tracks the number of your RSS feed subscribers you have. And having a large subscription base can easily shoot your articles rankings up. The magic number seems to be at least 25 for most things; however, if you can get this number well over 50, it won’t be very hard to get highly competitive article themes way up in the rankings.

But how do I boost my subscriptions you now ask. No, it’s no good to Photoshop your feedburner widget. Instead, let’s try some online rss readers. Just create several Gmail accounts use each account to subscribe to your own rss feed. Use as many online readers, aggregators you may find like Netvibes. How do you think Shoemoney got that overnight boost on rss subscribers on the dispute with John Chow?

Feedburner hacked! from Boris Veldhuijzen van Zanten on Vimeo.

BOUNCE

Google is using a comprehensive measure of how of your pages bounce rate and takes into account when calculating your overall rankings. If you’re pages are bouncing over 80 percent of the time back to the search results, it’s highly likely that the rankings will either be demoted or drop off completely. Between 50 and 60 percent seems to be the average that keeps a site ranked and consistent. However, if you can get the site to bounce less than 20 percent, you’ll be performing in the top percentile and consistently rank well.

Again how can you improve your bounce rate you may ask? No, it’s not enough to show some great boobs! Instead you need to JavaScript disable the back button on your sites! That will prevent people from going back to the search results.

Browse the web for several ways to do this, here’s a nice one for Firefox from Jeremiah Grossman.
Homework: discover how Shoemoney does it for Opera… it’s on one of the .js files he loads…

FLOOD

The People Flood tactic, has been in use for a very long time now, and is still very effective. What this tricks does is simple: a bunch of people search for your keywords and clicks on your pages.

The best and most effective way to do this is using an iframed Google xss injection on a high traffic site. However nowadays it’s very hard to find a Google xss and the ones found stay unpatched for a very short time. But why do you need a xss? Because G now uses a token to track your cookie.

So that leaves you not many choices but to use cheap human labor. Amazon’s mechanical turk is one of the options.

Lyndon Antcliff recently helped a client achieve over 1500 inbound links in under a week with a story designed to grab attention.
The article – 13 Year Old Steals Dad’s Credit Card to Buy Hookers – appeared on money.co.uk as part of Lyndon’s linkbaiting campaign, and it was certainly successful.

The story soon appeared around the world. Digg users pumped it up to a total 2452 diggs, driving tons of traffic to the page. Then news outlets started leaping on the story. In Australia News.com.au, The Daily Telegraph, and more all publicized the story, driving hundreds of links and thousands of site visitors back. Back in the UK, best selling newspaper The Sun published the story in their pages. News services loved the story of what American teens can get up to. In the states, Fox News aired the story, later spread wide through YouTube.

But the whole article was fake. Now the fun part began. Lyndon couldn’t resist himself and made the classical mistake: gloating. On announcing the hoax on his own website, he created a buzz all over and the discussion is still going on how unethical the move was.

My intention is not to discuss if he was right or wrong, he ruined it all anyway, Matt spoke and so no linkjuice from Google now. The only, most important part of the puzzle was the domain name and no one seems to acknowledge this! Well, almost no-one.

On Sphinn story comments page, scroll down the page and you’ll find this:

[…]checked the originating website and saw it was money.co.uk and went ‘wow, it’s true.’ It’s there. Read the comments. There are close to 150 of them and only about five call it a fake. The rest want to canonize the kid. They discussed whether it was fake and decided it was true. Based on the website.”

Yes, but it was not based on the website, it was a decision based on the domain name! Solely based on the domain name! That finally brings me to the title of this post: how to successfully launch a website with a premium domain and only $100, with just two simple steps:

• 1. Write a funny fake on-topic story and publish it on the premium domain. You can also copy one already posted and give it a twist; TheOnion is a great place to get started looking for cool fake stories.
• 2. Buy some Diggs for the story. Current exchange rate is $1 a Digg. 100 Diggs will win the initial inertia and after that, reaching the homepage is easy. I want promise it would go Fox News or The Sun but, as seen on TV, your chances are very good.

As you know, one of the most important factors when valuating a domain name is its ability to attract Google queries.

That’s why when trying to fresh register domains using top keywords lists from Overture (RIP), WordZe, WordTrack or any keyword tool, you’ll quickly find out they are all taken, including the most remote tlds! I can also assure you having a keyword.com is one hell of a giant leap over several months classic SEO hard work.

As Google algorithm evolves and changes, we domainers must keep our eyes wide open to new breaks that can surface just around the corner.

One of the best (and hard) ways to know (even beforehand) how Google algorithm will evolve is to read Google fillings for patents! I know, it’s stomach-churning, but someone has to do it.

One of the latest patents is about a new index method: US Patent 7,319,994, granted January 15, 2008. It’s named: Document compression scheme that supports searching and partial decompression.

In the end, what it refers to is a new, much faster way to index and search using a compressed index and partial decompression searches. There’s a paragraph specifically about stop words:

Typically, given a query, the performance bottleneck is the time it takes to decode the occurrences (which are typically delta encoded to save space, and thus have to be followed from the beginning) of the most frequently occurring term, especially if this term is a so-called stop-word such as “the”.

The new system would look for the less popular terms that appear in the query, and then look to see if the stop words in the query are nearby.

Is this already implemented? The answer is yes. You don’t see stop warnings anymore. Just try searching for The Great Game.

You know what you to do next: here’s a list of stop words in English and some other languages, and happy domain hunting!

The only thing that worries me is the fact Google does not highlights the “The” on theGreatDomain.com domain. Further tests will be made. Keep visiting…