December 08, 2006

"Rankjacking" - Monetizing website cracking via theft of PageRank

While there's been much discussion that the Google PageRank of websites can lead to lots of shady deals around buying and selling links, it's been less remarked that this also provides a way to profit from cracking a website. It used to be that most websites just weren't that interesting. The sites that take credit-cards for data are comparatively few, often use a third-party service for the billing transaction, and redirecting an order page to steal that information will be noticed quickly.

But every site has has its position in the recommendation social network, its ability to link, its Pagerank and "trust".

Thus, if a bad guy finds a security flaw in some website software, rather than being reduced to writing "d00dz rul3z!" on a page, which is not profitable, there's now a brand-new way to make money off the cracking: Insert links to boost another site's search engine results.

One "advantage" of this scam is that sites of non-profit organizations are likely to have a lot of rank and trust, but overworked and underpaid webmasters, which makes such sites a "sweet spot" for exploitation.

So obscure, "hidden" links inserted in various places are not likely to be noticed, and finding someone to fix the page won't set off the sort of red alert reaction involved in credit-card theft.

The United Nations Educational, Scientific and Cultural Organization, UNESCO has now been hit by this scam, as well as many other sites.

At this point, the actual cracker is unclear, and whether or not the link-receiving sites knew about the cracking or were unaware of the criminality. The cracker seems to have exploited a bug in some forum and link-cataloging software.

I mailed the UNESCO webmaster about their site being cracked, and there's now some attention to this particular event. But the general problem is likely to get worse, as the potential becomes more exploited.

By Seth Finkelstein | posted in google | on December 08, 2006 12:57 PM (Infothought permalink)
Seth Finkelstein's Infothought blog (Wikipedia, Google, censorware, and an inside view of net-politics) - Syndicate site (subscribe, RSS)

Subscribe with Bloglines      Subscribe in NewsGator Online  Google Reader or Homepage


What's weird is that that developer/ webmaster, even if we assume they're completely crooked & egoistic, also has incentive to keep the customer -- in this case UNESCO. As soon as UNESCO understands this issue they might fire whoeever's responsible (if still around). Maybe the chance to be uncovered will increase with coverage of some of these cases, raising awareness among organizations... just as many organizations had to learn that SEO's aren't always doing good, and need to be watched. Then the risk for the developer to hide links will increase as well.

Posted by: Philipp Lenssen at December 8, 2006 02:56 PM

How many people really get into their website's code once it's finished, unless they employ a webmaster? Many people pay for a website and update it with a content manager, without ever viewing the source code. And even if they did, they probably wouldn't know what to look for anyway. The web is a paradise for "crackers," and something must be done.

Posted by: Jason McElwaine at December 10, 2006 04:51 AM