The negative SEO canonical hack is a malicious attack that involves content scraping and the canonical tag, and consists of three main components: a target website (the victim), a middleman website and a destination website (the assumed culprit).
Our Experience with the Negative SEO Canonical Hack
They then checked the cache Google had for the middleman website that was being shown in the SERP, and it showed our client’s HTML and CSS minus some images and other assets that didn’t carry over in the scrape.
We checked Google Analytics to see traffic data and came across this:
At this point we still weren’t sure why or how this was happening, so we checked Google Search Console for additional information and, sure enough, we discovered:
Now that we were aware of this, we decided to dig a bit deeper and found at least two other websites that had been hacked and were being used as middlemen in this attack on our client.
We still weren’t quite sure how Google had discovered these “new URLs,” so we decided to do some user-agent checking. This is where we uncovered that if any user-agent outside of Googlebot visited the middleman website, they would be redirected to the destination website. If Googlebot was the user-agent, no redirect occurred, and it crawled the hacked page and saw the hacked canonical tag.
Now, keep in mind that this had nothing to do with our client’s website in terms of being hacked. Their content had just been scraped: something tools can do fairly easily. And sure, you could argue that IP addresses could be blocked to prevent scraping, but that is only a temporary fix as new IPs can be bought fairly cheaply. Even if you were to monitor the IP addresses and user-agents coming into the website, it only takes one time for the scraper to get in and get the content it needs to place somewhere else.
In addition to the negative SEO canonical hack mentioned above, we also noticed a large number of spammy inbound links from the hacked website in our client’s backlink profile. The signals that these bad backlinks carry contributed to the drop in traffic and rankings, but they can be added to a disavow file and submitted to Google’s Disavow Links Tool to hopefully discredit those links.
How to Fix the Negative SEO Canonical Hack
There are a few things that can be done to try and rectify this. The chances that Google will address this openly are slim and it’s hard to get John Mueller’s attention with everyone out there asking various SEO-related questions, but you can submit questions to him through their Google Webmaster Hangout channel on YouTube. He is Google’s main customer-facing entity and is the best bet at getting some specific answers about this hack from Google. We also submitted this issue using their generic spam report and their malicious software report and reached out to PayPal since the destination website used that as a payment option. In addition, I personally reached out to the hacked websites as a courtesy to let them know what had happened and to let them know what they needed to do to secure their website:
- Use a malware scanner on the website.
- Use a third-party service to remove the malware from the website (or in house).
- Get an SSL certificate installed.
We were also contemplating reaching out to the hosting company (which has its own share of complaints) to let them know that one of their clients was engaging in this type of activity, but we don’t have direct proof that the destination URL was the hacker. They could have been another victim of this negative SEO attack, because even if the destination website was the hacker, the experience the user received between the three brands was completely different. The pages the users would have landed on at the destination website did not match what the original SERP listing showed, so why would you proceed to give your personal payment information to that website or be interested in the content when it was clear that something fishy was happening during the search experience? This was done purely to draw traffic away from our client, cause pages to get deindexed and ultimately hurt their business.
I am constantly amazed by the number of black hat tactics and negative SEO attacks that still work today, especially with all the effort Google has put into its algorithm. If something like this hack can potentially ruin the online presence of a business, why is it still working?
Our client wasn’t the only company to experience this, either. When we were trying to figure out what was happening, we came across a great article by Bill Hartzer that described exactly what our client was experiencing.
The bottom line is to be vigilant with your clients. Regularly monitor Google Analytics and Google Search Console and pay attention to the less important pages. Those pages can go under the radar for some time if they aren’t that important to the client and can be the entrance point for these types of attacks.
Are you the victim of a negative SEO attack? Share your experience in a comment below, and I’ll look into it with the rest of the Technical SEO team here at The Search Agency and let you know what we find!