How Open Site Explorer’s ‘Just Discovered Tab’ Uncovered 884 Hacked Websites

Note: I’m not sure if this is a new exploit or not, WordPress security was made aware of my findings before this post.

Late yesterday afternoon I got a tweet from David Higgens that Penguin 2.0 had rolled out.

I had a been in a dinner meeting pitching one of my side projects, but I got home as quickly as I could to see what the new SERPs looked like. One of my favorite SERPs to watch in the last year or so has been the keyword ‘Payday Loans.’ As my research progressed into the night on this keyword set, I noticed one website that shouldn’t have been ranking at all, but was ranking in nearly every geographic locale I tested for ‘payday loans.’  I tweeted about it in frustration.

My friend and colleague, Steve Hammer, was quick to point out that one of the websites linking to them was a band that was hacked.

A quick Google site search and view of the source code proved this to be true. The code for the hack uses the style tag to hide the link within the website’s design scheme so it’s not visually detectable. This made explaining the hacking situation a little more difficult when I contacted the band.

google site search reveals payday loan terms

The band’s website has payday loan terms appearing in a Google search.

hacked code inserted into

the code from

Steve used Majestic SEO to find the hacked website. I went there first to start looking at the data. Majestic showed over 10,000 linking root domains, and all seemingly in the last two weeks. That’s a lot for a payday loan website. I wanted to dig deeper, but I couldn’t create a report, as I’m not on a higher subscription plan or the domain owner. Still the data from Majestic had me curious as to what I would find.

majestic seo chart for the domain

This chart shows the massive link volume in just the past few weeks, and it really ramping up just days ago.

Based on Rand Fishkin’s tweet, I decided to use Open Site Explorer’s new ‘Just Discovered’ tab to investigate further.

At first glance, Open Site Explorer (OSE) showed no metrics, no Domain Authority, etc.. so I wasn’t too positive about the data I would get on the Just Discovered links tab. I was surprised to find over 5,000 links. This is nowhere near the 634,000 links that Majestic stated they have, but it should be a good enough sample size to find out how this website is ranking.

Open Site Explorer shows no metrics, but has links

Don’t be surprised if OSE shows no metrics, but has tons of links to show.

I spot checked a few pages listed such as a car dealer in Kansas, a marketing firm in Houston, and a culinary website in Atlanta, and they all had the same code inserted in them with the link to the domain in question. They also all were disguised to hide on the page. Most of the websites in the list have the exact match ‘payday loans’ anchor text.

It was obvious that a pretty big hacking had occurred, but I wasn’t sure just how big. After exporting the data, I asked my co-worker Andrey Zavyalov, our resident Excel Ninja, to filter out the duplicate domains in the spreadsheet to see just how many websites had been compromised to link to this website. Out of the more than 5,000 links he found, 884 unique domains had been compromised. What is more shocking is that all of them appear to be on WordPress. That’s 884 unique domains out of more than 5,000 links.

Majestic SEO counted 10,000 linking root domains, which could mean if this website’s Modus Operandi is to hack for links (and that’s very likely), then there is a high probability that there are 10,000 websites out there hacked and providing link juice to this website (and probably a different one in the near future). I am not certain if this hack occurred on the newest version of WordPress, however, some of the websites checked had the Meta Generator tag that showed the latest WordPress version of 3.5.1, which is a good indicator to me that this is a new exploit. Hopefully, WordPress gets it plugged up soon.

Side Note: We’ve checked our clients WordPress websites and have not found evidence of hacking, so you’re all good.

Sadly, this is a story that will play out time and time again:  Opportunistic individuals in a vertical abusing and hacking other websites for immediate rankings with a throw away website. Matt Cutts announced in a video a few days ago that some verticals like payday loans would end up getting some special treatment from Google, which hopefully will lead to future solutions for these kinds of issues.

Here is an alphabetized list of the 884 domains that we found to be compromised. I’ll probably take this list down in time, but I wanted to provide it in case your website was hacked or you know someone who was affected. Please help me get the word out to them to remove the injected code on their site. Note: we do not endorse or condone any of the content on the following websites. Visit them at your own risk.