Wednesday, April 21, 2010

Scam Constellations and Spam Link Architectures

Scams come in all shapes and sizes, even on the Internet. One thing that I've noticed while doing research for RescueTheWeb is that the scammers are persistent in inventing new architectures that meet their needs. This article is a brief survey of the scamming link architectures I've found.

When I talk about scamming architecture I'm referring to the link structure that scammers use to 1.) raise their Google Page Rank and 2.) draw you to their scam websites.

1. The Point Source Scam Site:In this architecture there is a single scam site that doesn't necessarily use hacking of other websites to create links to their scam site. The site is all alone and probably has low Google Page Ranking and doesn't show up too high is search results. There are probably not many of these types of scam sites since they would be hard to find and would have a low number of visitors.

2. The 2-tier Scam Architecture:
In this architecture there is a single scam site that uses hacking to disperse links around the Internet to point to their single scam site. This technique raises their Google Page Rank. Many times the website breaches are specially crafted to only be visible to Google/Yahoo!/Bing so that their page rank is raised without raising suspicion from the rightful website owner.

3. The 3-tier Scam Architecture:
In this architecture there a single scam site that uses two layers of hacked websites to cleverly raise the page rank and ensure they throw a large net to catch possible victims. This architecture is unique in that it uses a combination of redirects and links to bring the user to the goal scam site.

4. Another 3-tier Scam Architecture:
The problem with the previous architecture, from the scammers perspective, is that it requires the user to click on that first link. Typically, the link-based infections (that actually show links to the visitors) are a little sloppy and probably don't have a high click-through rate. To increase their click-through rate (which they appear to be watching based on how their URL's contain tracking parameters), the scammers have come up with scam search engines too. Typically they create faux-Google search engines where the scammer owns all the search results. This is very convenient for the scammer since they can direct the visitor anywhere they want.

To trick the visitors they use convenient keywords (bait) on the breached sites to pull in a high Google Page Rank, then when the visitor clicks on the Google link they are taken to the faux-Google (switch) which contains only links to scam businesses.

The transition from the real Google to the fake Google is nearly instant and probably not obvious to most users who will simply think it's a glitch and continue browsing.

To hide these fake Google's from direct access by search engine crawlers, and curious people, you can only view the fake Google results if you come at them from a link embedded in an infected website.

5. Scam Constellations:
As if this prior architecture wasn't good enough, the scammers wanted to make it robust to detection and shutdowns. Now scammers are creating constellations of scam sites that work together to direct visitors to their scam businesses. In the examples I've seen the names of the constellation scam sites are nearly identical with only one character changing between domain names. For example:,,, etc... One constellation had 24 nearly identical domain names within it.

These are the scam link architectures that I've recently seen on the Internet. There are probably many more. Please send me your observations, so we can add it to the RescueTheWeb analysis engine.


  1. I've seen several servers being hacked just for that reason. Remember the iframe javascript exploits that were, in some cases, spliced into the kernel? The majority of the servers were running cPanel. google for iframe exploit cPanel, something should come up.

  2. How do those kinds of sites (http : / / bartinotogaz . com / owewt / 517573 . php) with lots of self referencing links fit into such scams?

    They appear to be hacked websites, as the core domain has nothing to do with the php script runnign those and they appear in google tracked keywords ~15% of all results for not so common key words.


  3. These architectures are mostly used for search engine traffic. In the hacked page, they also seem to use 301 redirects to transfer the flow of page rank to the scam site.

    Read about it here

  4. Kaj, With respect to the bartinotogaz . com links. This appears to be part of a click fraud scheme where the perpetrator sets up lots of interlinked sites to raise the page rank of target pages that contain Google Ads. The goal is to get lots of clicks and make money from Google.

    The way I can see this pattern is by searching within Google for "". This search will show 300+ results of websites that link to If you look at some of these they all point to each other. Also, there is a site that lays on the edge of the mix called http:// commerciallender. www17. ireport. juridicosc. com. br/christiancommerciallenderloansinmcdonoughga/ which contains a Google Ad's javascript frame. However, in this case it looks like Google found them and shut them down since the Google Ad frame is no longer working.

    I agree this link architecture looks very ineffective, but it's still obviously there and an architecture doesn't mean it works. Hopefully there is an algorithm that can be generated to detect these low-quality link structures, so I can implement it in the RescueTheWeb analysis engine.

  5. Canny, I've seen the use of 301's too. However, I generalized them to the simple word 'redirect' in the above graphs. The redirects didn't always use 301's.

    Yes, these architectures are mostly about search engine results. However, one of the interesting finds was where page rank was used to bait the customer and then a redirect (located on a hacked site) was used to move the user to a fake Google. The redirect only showed up when the incoming click had a referer of This allowed only the incoming user to see the fake Google and not Google itself.