The future of negative SEO, Part 6

Now that you know how to identify, prevent, stop and recover from a Negative SEO attack, here’s a look toward possible future threats you should arm yourself to fight.

Now that you know how to identify, prevent, stop and recover from a Negative SEO attack, here’s a look toward possible future threats you should arm yourself to fight.

You May Also Enjoy:

The first point I would like to make is that what worked yesterday is likely to work tomorrow, and the next day, and the next, ad nauseam. So long as Google is relying on data to decide where to rank a site, it will be possible for that data to be viewed either positively or negatively.

Thus, the more reliant Google is on a signal, the more difficult it will be for them to completely nullify the effects of a bad actor attempting to attack you by manipulating the data underlying that signal. What we saw working in the earlier articles of this series should occupy most of your attention; the following is what I expect may come to pass in the next year or three.

In keeping with our practice of simplifying SEO into the buckets of content, links, and user signals, we are going to approach the future negative SEO attack vectors in the same manner.

Links

Social links from low-quality accounts. For the most part, social links don’t appear to directly impact rankings significantly, though they are useful for link discovery purposes.

In the future, however, Google may start to place a premium on who shares a link, especially with verified accounts; in this scenario, having links to your site shared out by known bot networks may result in an adverse reaction similar to the early link penalties related to bad web neighborhoods.

Seeking out toxicity. One tactic that bad actors sometimes use is to place outbound links on toxic websites, hoping to associate their targets with these known ill-reputed players.

Now that link tools like SEMrush / LinkResearchTools / Majestic and others make disavow files and other toxicity data available through their APIs, attackers could be more efficient in ensuring that time spent accruing bad links will yield a higher probability of resulting in a penalty. It’s only a matter of time before a bad actor syncs this data directly to their link spam tools for maximum effect.

Anonymous/fake press releases. Placing press release links, as a tactic, still works for positive SEO. What I have not yet seen in the wild and expect to see at some point is a fake news push via the press. If an attacker submitted a press release anonymously and purchased placement via cryptocurrencies, it would be relatively easy to either highlight negative news or make up a story that is potentially damaging, simultaneously using rich anchor text in the links back to the target domain.

Such a tactic would be harmful in two ways: first, it would potentially result in bad press ranking for key terms and second, the targeted anchor text may trip an algorithmic link penalty.

Using Google Assistant to do bad things. This is a favorite of mine, insofar as a potentially useful tool can be used for some truly awful things. In this example, it is already a simple process to determine the majority of a competitor’s links via one’s favorite link research tool; then those links can be parsed through a WHOIS service, as we described in a previous article.

Finally, the future part: Google Assistant, specifically the Duplex feature being released to some Pixel smartphones next month, could be used to mimic a human, calling and requesting link removals to the webmaster contacts, repeatedly. When this tactic starts, it will be extremely successful and damaging. (Google says Duplex will identify itself as a non-human, but it remains to be seen whether that can be overridden in some way.)

Content

Duplicate content served through proxies. This is an old tactic that I fear may return soon. The way the tactic works is a proxy gateway site is set to index and effectively crawl a website, making and displaying a copy of it. The reason I fear it may come back is because Google appears to be making a concerted effort to focus more on entities and less on URLs.

URLs help us to distinguish real vs fake on the web, help us to understand underlying technologies being used, a site’s structure, and so much more. If Google ultimately moves to drop URLs as it has been recently suggested they’d like to do, one can expect this tactic to be extremely effective in robbing a site of its traffic via duplicated content that an attacker has set up.

Misused AMP. AMP can be misused in multiple ways to cause confusion among users and webmasters alike, but with regards to negative SEO, the simple method is to create an AMP site with bad content and use the rel=canonical tag to connect it to a target site.

In this case, bad content can simply mean content that is an 80% textual match to the target page’s content, except with more keyword stuffing and adult phrases designed to trigger Safe Search.

Injected canonicals. In the same way that an attacker can inject content onto a site through a hack or technical misconfiguration, a bad actor may implement a PWA (progressive web app) and associate the PWA with a target domain, via the hack.

If properly cloaked to the website owner, the PWA could appear as a normal branded PWA, but it would just so happen to steal customer information or otherwise cause reputational problems. Similar to the PWA-injected content problems, a bad actor could also tweak AMP and hreflang settings in an attempt to cause incorrect indexing issues.

GDPR complaints as a service. This will almost certainly be a problem in Europe. The attack would work by seeking out ranking pages that contain a person’s name and then fictitiously filing GDPR complaints in bulk, as an attempt to have the pages removed.

This is an extension of similar attacks that have existed for years in the U.S. with the Digital Millennium Copyright Act (DMCA), which were very successful up until quite recently.

User signals

Knowledge graph, rich snippets, reviews and other Google property listings. It is already currently possible to inundate Google hosted features with negative reviews and incorrect information, which result in a waste of time for a webmaster. However, I can foresee a future where this is done far more aggressively, by renting the use of senior Google reviewer accounts to do a variety of things:

  • Marking business listings as closed (repeatedly).
  • Updating addresses to known spam addresses.
  • Updating website listings to point to a competitor.
  • Updating existing links to valid yet incorrect pages.

Google trusts its seniority process for making changes, and, like the Wikipedia editor community, once it is sufficiently infiltrated with bad actors, it becomes difficult to trust.

3rd party review sites [serchen, G2 crowd, etc]. This attack vector works in two different ways. First, having a significant number of bad reviews is problematic as it currently reduces the amount of traffic that would originally come from such sites. Additionally, what will start to happen fairly soon is we will see the most negative listings ranked with aggressive link spam.

Not only do people tend to pre-judge the quality of a service or product by relying on 3rd party reviews, but the more first-page rankings that are comprised of bad reviews, the more likely the target domain is going to be ignored and thus receive fewer clicks.

Mass flagging in Chrome. As Google relies more and more on its own products for user signal trust, attackers will also start to place more emphasis on those products to manipulate the signal. One such way has to do with reporting malware.

Currently, if enough malware websites are 301 redirected into a domain and are reported through Google’s general feedback form, there is not insignificant chance the target domain will be listed with a malware warning. With Chrome the potential may even be higher, as an attacker could flag both the target and recipient domains of the malware redirect, at scale.

In my opinion, this would be exceptionally effective and likely result in the attacked domain being flagged and not viewable to the 80% of the web that uses Chrome browser by default. Technically, because this concept uses links, we could also include it in the previous section.

Junk traffic through AMP. High levels of junk traffic pushed through the accelerated mobile pages (AMP) version of the site is already done to mislead webmasters by providing a view of incorrect user intent which results in wasted time optimizing for potentially incorrect pages, terms, and needs.

It has other negative impacts if continuously scaled, by purposefully sending bounce traffic through the non-AMP version and lingering traffic through AMP wherein one may incorrectly assume AMP is a good solution (it isn’t). If an attacker was looking to accelerate the demonetization of a publisher site, this is one such method I expect we’ll see.

More sophisticated DDoS attacks. This is an almost certain tactic to be employed and is based on triggering server-side local JavaScript and naturally slow pages due to expensive queries.

Given that hosts have emphasized improving CPU performance and the ability to auto-scale when traffic is high as a proxy for determining server load, a more efficient attack will evolve wherein solving traffic-related DDoS won’t matter as the attack vector shifts towards attacking slow server-side scripts and the database by repeatedly loading specific URLs which contain uncached SQL queries, resulting in hung SQL queries and thus a slow, if not incapacitated website.

Conclusion

This concludes our series on negative SEO. As we set out in the beginning, it is my hope that you now have a firm understanding of what it is, how it works, how to protect yourself, how to stop an attack, how to recover from it, and can now keep an eye to the future on what negative SEO may look like in the years to come. I would like to thank Andrew Evans for correcting my numerous grammar mishaps and Debra Mastaler for translating my search engine thoughts in human on a monthly basis.