When I talk about scamming architecture I'm referring to the link structure that scammers use to 1.) raise their Google Page Rank and 2.) draw you to their scam websites.
1. The Point Source Scam Site:In this architecture there is a single scam site that doesn't necessarily use hacking of other websites to create links to their scam site. The site is all alone and probably has low Google Page Ranking and doesn't show up too high is search results. There are probably not many of these types of scam sites since they would be hard to find and would have a low number of visitors.
2. The 2-tier Scam Architecture:
In this architecture there is a single scam site that uses hacking to disperse links around the Internet to point to their single scam site. This technique raises their Google Page Rank. Many times the website breaches are specially crafted to only be visible to Google/Yahoo!/Bing so that their page rank is raised without raising suspicion from the rightful website owner.
3. The 3-tier Scam Architecture:
In this architecture there a single scam site that uses two layers of hacked websites to cleverly raise the page rank and ensure they throw a large net to catch possible victims. This architecture is unique in that it uses a combination of redirects and links to bring the user to the goal scam site.
4. Another 3-tier Scam Architecture:
The problem with the previous architecture, from the scammers perspective, is that it requires the user to click on that first link. Typically, the link-based infections (that actually show links to the visitors) are a little sloppy and probably don't have a high click-through rate. To increase their click-through rate (which they appear to be watching based on how their URL's contain tracking parameters), the scammers have come up with scam search engines too. Typically they create faux-Google search engines where the scammer owns all the search results. This is very convenient for the scammer since they can direct the visitor anywhere they want.
To trick the visitors they use convenient keywords (bait) on the breached sites to pull in a high Google Page Rank, then when the visitor clicks on the Google link they are taken to the faux-Google (switch) which contains only links to scam businesses.
The transition from the real Google to the fake Google is nearly instant and probably not obvious to most users who will simply think it's a glitch and continue browsing.
To hide these fake Google's from direct access by search engine crawlers, and curious people, you can only view the fake Google results if you come at them from a link embedded in an infected website.
5. Scam Constellations:
As if this prior architecture wasn't good enough, the scammers wanted to make it robust to detection and shutdowns. Now scammers are creating constellations of scam sites that work together to direct visitors to their scam businesses. In the examples I've seen the names of the constellation scam sites are nearly identical with only one character changing between domain names. For example: ggooglea.com, ggoogleb.com, ggooglec.com, etc... One constellation had 24 nearly identical domain names within it.
These are the scam link architectures that I've recently seen on the Internet. There are probably many more. Please send me your observations, so we can add it to the RescueTheWeb analysis engine.
