Black Hat SEO: How hackers got interested in search engine rankings

Search Engine Optimisation is the trick to winning online revenue. What happens when hackers start going after the prize? Part one of a two-part series.


Search Engine Optimisation is the trick to winning online revenue. What happens when hackers start going after the prize? Part one of a two-part series.

David Naylor has been a search engine optimiser (SEO) for a decade, as long as almost anyone. About a year ago he received an unexpected phone call. "Apparently, you're one of the best black-hat SEOs in the world," a stranger said. Naylor laughed modestly, but it was true. Naylor's business was to game search engines using aggressive, some would say dubious, tactics in order to goose websites' rankings on search engines such as Google and thereby increase traffic to the sites. And he was extremely good at it.

Apparently, the caller was one of the best black-hat hackers in the world. He told Naylor that he was interested in the search engine optimisation (also abbreviated SEO) business, and the related search marketing business, which can be thought of as applied SEO, using it to drive traffic to a site where one sells ads and products.

Specifically, the hacker was interested in the money. The income is precariously unstable, but $10,000 months aren't uncommon for SEOs and search marketers. Six-figure months aren't unheard of, either.

The hacker also seemed deeply intrigued by the culture of openness, even pride, that inhabits the SEO community. Hackers are recruited by crime syndicates and labour to mask their identities; SEOs are hired by Fortune 500 companies and blog about the size of their checks from Google. The caller seemed interested in that kind of freedom.

So Naylor invited the hacker to meet him and 30 or so more SEOs at one of their informal conclaves. The next one was in Manchester, England (Naylor's from Yorkshire). They met up and slipped into a dim booth with full pints.

They talked for two hours. What Naylor remembers most from the conversation is this: "I said, 'I don't know how you guys monetise without getting caught.' And he said to me, 'That's why I came to you. You know how to monetise. I know how to not get caught'."

Naylor had already been thinking about that. He had seen what could happen - what has now started to happen - to SEO. The hacker's interest in SEO would be reciprocated, and the worlds would cross over. Naylor himself was cautiously curious about hacking tools that could cut down on the considerable grunt work SEO requires. What's more, at that time, SEOs had noticed that search companies were cracking down on black-hat SEO tactics. Hacking tools could help sidestep that problem, too. "In some ways," Naylor says, "it would have been easier to say, "Yeah, let's secretly break into servers, leverage cross-site scripting vulnerabilities to improve our rankings'" rather than do SEO the traditional way.

But Naylor didn't have an appetite for hacking. SEOs may have a less-defined code of business ethics than most, but it's a code nonetheless. They like to say that hackers break the law, while they merely break a search company's terms of service. "When I get caught, which I do, I get kicked off a search engine for a while," Naylor says. "When hackers get caught, they go to prison."

But now Naylor was thinking that distinction would fade. Eventually, SEO would become big business for bad guys, like spam and identity theft. It has already started. Al Gore's ecology blog was hacked late last year, but not for political reasons. It was hacked so that some guy marketing Xanax and Viagra could plant links to boost his search rankings.

Security researcher Jeremiah Grossman calls the phenomenon SEOwN3d!!1 - merging SEO with hackers' leetspeak slang for "hacked". It's a powerful merging of cultures and interests that has the ability to change the nature and value of search engines themselves.

Naylor opted out, retired from the black hat SEO business. He didn't want any part of whatever it was becoming.

"I never felt comfortable in that world," he says of hacking. "You look down the road and just see it's not something you can build a business on, a life on. All the things we used to do, it just seems easier to hire a hacker now. It's a little bit sad in a way."

Augurs of Search

Currently, the best way to find approximately what you need on the Internet is to submit an idea to a search engine and in return receive a list of links to sites related, somehow, to your idea.

Really, the only links that matter are the first five or so, because few people bother to scroll past what they first see; almost no one clicks to the second page of results or beyond. Website owners know this and therefore compete for the top spots. If a site does not rank highly, it is in some sense virtually nonexistent.

To determine who earns this prime real estate, search engine companies send small software programs called spiders (or crawlers or robots) to scuttle around the Internet and collect information about websites - their location, what words are on the page, what links lead to and leave from the site, and more. The spiders dump that information into mighty algorithms that reckon the sites' relevance and credibility. These algorithms are proprietary and somewhat mysterious; no one outside of the search companies knows precisely how they work. Some argue that even the search companies don't know exactly how they work anymore, because the algorithms are constantly changed and have become colossally complex. (Our "SEO Glossary" describes the basics of search engine optimisation.)

"Recommended For You"

Google begins penalising search 'over-optimisation' Microsoft to offer search engine optimisation in ASP.Net