Anatomy of a Negative SEO Attack 💣

Written by and published



Ever wonder what a negative SEO attack looks like? Perhaps you’re seeing some strange new links, and wonder if you, in fact, are under attack? Over the past few years, I’ve seen a number of clients come under attack from negative SEO tactics…with varying results.

Read on as we tear into a few of them and show you what to look for….and what to do about it.

Have you experienced a negative SEO attack?
Photo courtesy Ralf Steinberger on Flicker.

What is negative SEO?

Google has been assessing ranking penalties, both manual and algorithmic, for some time now. Most of the penalties I’ve seen have been link-related: either anchor text keyword over-optimization (usually algorithmic these days), or just plain too-many-toxic-links types of penalties (both algorithmic and manual).

Building good, authentic, strong links is hard…just like real marketing and PR is hard. But instead of doing all that pesky real company stuff, Wil Reynolds always talks about strengthening your own backlink profile, why not just get a bunch of crappy links pointed at your competition and knock them off page 1 with a penalty?

Heck, you can get over half a million crappy links for your competitor on Fiverr for FIVE BUCKS.

This is the sort of technique that requires very little effort, very little money, and little respect for the ethical.

But does it actually work?

As of Penguin 4.0, Google says they ignore those sorts of links. I suspect that’s mostly true; the kinds of links you’d get for your $5 are probably going to be pretty easy to detect. And so hold on to your $5…it’s probably not going to affect that competitor’s site.

But think about it…if Google was now just ignoring ALL bad links, then there wouldn’t be any more penalties at all, right? Not so…

About 3 years ago, I saw two cases of negative SEO happening in the same month. Two different clients: one with fitness centers in Singapore, and another in the insurance industry in the western USA. Both were getting links from the exact same set of domains, the same week…dozens and dozens each day. The domains linking to them were penalized. This was pretty easy to spot, and I suspect Google would find and ignore those links today. Back then, their rankings tanked till we disavowed those links.

Today, the negative SEO attackers are much more sophisticated and are trying a wide range of tactics, which we’ll go into shortly.

Does it actually work today? To be honest, most of the time, Google seems to be ignoring at least enough of the nasty toxic links that the victim’s site does not suffer a penalty. However, one of my clients whose attack started in November 2017 definitely saw a massive drop in rankings. Their rankings didn’t recover until we had found and disavowed a ton of links–including a huge number of non-active links (either the page was 404ing, or the domain was not found or returning a 502).

Paul Madden, from Kerboo (makers of the backlinks analysis tool, LinkRisk) has this to say:

“At Kerboo we have seen an increase in customers suspecting Negative SEO attacks as our system helps flag up the new links and their risk. In general most of these have an innocent explanation but we have seen quite a number of genuine attempts aiming to impact a site’s rankings and in some cases, these appear to have worked.

I tend to agree that nowadays because Google aims to ignore the types of links typically used in a negative SEO attack, it’s harder to successfully damage a sites ranking through bad links. It is true however that Google are not nearly as good at ignoring everything as they believe and so the only sensible route for a site owner is to put in place a system where they can check newly appearing links and disavow anything that appears to be malicious at the time that it appears.”

It appears that someone is actually trying negative SEO on my consulting site right now, but so far all it’s managed to do is make me rank #1 for “seo consultant”! But it’s a giant pile of crap links, which will eventually hurt me, so I’m going to disavow them.

How do you know it’s negative SEO?

Well, often you don’t. There are a ton of people “experimenting” out there all the time, scraping other sites, manufacturing content, building little link farms, etc. Oftentimes they’ll build pages by either scraping search results, scraping news sites, etc. and you’ll get links that were originally in legitimate places copied and placed on their crappy pages. You’re just collateral damage in their attempts to mess with Google and make AdSense money, sell replica watches, generate affiliate sales, or whatever their little scam is.

Regardless of their intent, they’re creating nasty spammy links to YOUR website, and there’s a good chance that some of those links are NOT being ignored by Google. If there’s enough of them, you could very well draw a penalty.

As well, there are some SEOs (me, for instance) who believe that a backlink profile that’s really heavily weighted towards the near-zero value end of the page authority/domain authority spectrum is a pretty negative signal to Google in terms of the trustworthiness of your site.

How to Respond to Link Spam

Responding to Negative SEO

I’m seeing a big shift in how they attack. It used to be more long-term: the attacker would find (or build) penalized sites, place links on those sites, and just let it cook forever.

Problem is, if the victim is proactive, and knows they’re under attack, they’ll use tools like Kerboo LinkRisk, Moz Pro’s Spam Score, Link Detox, etc. to analyze their profiles and disavow the craptastic stuff.

If you got YOURSELF into a penalty, you’d use these sorts of tools to find your naughty links, get toxic ones removed, disavow the ones you couldn’t, and get any paid links you wanted to keep nofollowed.

Once a link is gone, it can’t hurt you, right?

It probably can. Here’s what seems to happen:

  • Google crawls a page with a link on it on some other site
  • The page starts to 404, or maybe the site starts returning a 500 or 502 error
  • In general, when this happens, Google (rightly, I say) thinks that the problem is probably temporary, and eventually, the page will be fixed…and until then, it can think about the page as if it has the same content on it that it saw last time it successfully fetched the page.

This is a really great way for Google to handle the everyday little problems, site downtime, etc. that we webmasters all suffer through. Unless it’s a REALLY long-lasting problem, that’s a reasonable way to handle it, and doesn’t cause all sorts of oscillations in rankings etc., both for the page that’s down and for the pages it links to. And in the case where…let’s say, a newspaper has a great story about your company (with a nice link to your site), and eventually archives the story or hides it behind a paywall, you still get the benefit of that link juice for many months. I’m not being facetious when I say that’s a good approach (ok, deleting old stories on a newspaper site, that’s another GRRRRR story).

Here’s what I’m seeing the negative SEO folks do to take advantage of this:

  • They build a super-toxic page that Google will want to penalize.
  • They leave the page up long enough for Google to crawl it and count (badly) the link from it to the victim’s site.
  • They shut the page down, so that the link analysis tools all ignore it (link’s gone…all good now, right?).

I’m seeing them try a bunch of different tactics for shutting the page down:

  • Switch the link to a nofollow (that seemed to be tried briefly, then stopped…probably because Google recrawls the page then ignores the bad link)
  • Delete the page so it 404s
  • Make the entire domain return a 502 Bad Gateway error

The last one is what I’m seeing the most of these days, probably because with the entire site being down, it’s tougher for any backlink tool to score the domain for spam, so they’re hoping you’re going to ignore it. If the page just 404s, it’s easy to see the domain’s spam scores in the Moz Pro Toolbar. A dead page from a site that’s getting 11/17 spam score? I’m gonna disavow the domain.

I’ve heard of spammers cloaking for Googlebot, so that ONLY Googlebot sees the live page, and all other user agents (regular browsers, link analysis tools, etc.) see a 500 error or a 404, but I haven’t seen this in any of the links I’ve looked at. At John Mueller’s suggestion, I’ve used the external mobile usability test tool to see if Googlebot could fetch these URLs, but so far all that I’ve looked at have returned 502s for both Googlebot and my other tools.

To make it even tougher to spot with tools, I’m seeing the attackers turn on and turn off domains really, really quickly…they’re hoping (I think) before the link analysis tools get any data on the domain, so it just looks like a weak domain. No nasty spam score in the toolbar.

How do the attackers try and get Google to hate their links?

I’m seeing a bunch of tactics here. They range from building obvious giant link farms on the same IP address to building porn or blog comment spam links to their own domains, to stuffing their pages full of porn or illegal drug terms. If Google says they don’t like something, the spammers fill their site with everything google hates both onpage and offpage to make their site as toxic as possible.

How to Read Patterns for Potential Toxicity

There’s a bunch of patterns I’ve been looking for. I’ll dive into some examples. One thing I’ve noticed is a heavy use of the following TLDs. If you’re seeing links from sites with these TLDs in your backlink profile, take a look at the site itself and see if it looks legit:

  • .club
  • .press
  • .site
  • .stream
  • .ga
  • .gq
  • .tk
  • .info
  • .xyz

Does having one of the above domains automatically indicate it’s spam or a negative SEO attack? No…but I can count the number of legit sites using those TLDs that I’ve seen in the past year on one hand.

Wiring diagrams

I’ve seen a ton of sites, with all sorts of crazy domain names, with the folder part of the URL being wiring-diagram or something similar. The layout is identical, with a lot of content, and an interstitial popup. They appear to be scraping images from the victim’s sites. Here’s one example.

Fake diagram sites

Crack injection

I’ve seen this with the word “crack” and also with various porn terms used. They seem to scrape a news site, and inject the nasty word in a few dozen places in the page. They scrape the logo of the legit news site as well…to avoid tainting a perfectly good, non-fake-news publication, I scrolled the logo out of view before taking this screen shot:

Injection of crack or porn words into a scraped news page

Fake business directories

Fake business directories are all the rage in negative SEO attacks

Looks legit, right? Check out the domain name. Every instance I’ve seen of this technique had a different domain name. One huge series all looked exactly like this; another has an American flag image at top left, and has a heading with “US” or a state name on each page.

G-crap

This is a series of sites that look like directories or maybe search engines. All using the same awful green background, all with a domain name starting with a G, all with a very similar logo. And all with links to their Facebook and Twitter profiles. All of which are suspended.

World's ugliest logo designer at work in negative SEO

Alphabet soup SEO directories

These all look like your typical spammy SEO directory, all with the same font, all with the same menu. The domain names are alphabet soup. This one’s a nice plain grey, but these ones tend to have a single bold color that’s a cross between OMG what did you feed the baby and gee, the eggplant’s way past its expiration date.

Lazy alphabet soup negative SEO directory

Water Damage Psychic Hotline

This is my favorite. There’s a series of logos, mostly related to water damage or renovation, with a super simple black and white theme. And the Contact us page (shown) tells you how to connected to gifted psychic advisors. Yeah…

Water damage restoration plus psychic hotline means negative SEO at work

Who’s behind the attack?

Good question. I stopped checking domain registrations after the first few dozen all came back with hidden registration info, registered in Panama.

But I’d expect that the attacker that the competitors hired would be offshore. If somehow they got busted by the victim, it’s going to be nearly impossible to take any meaningful legal action, and nearly impossible to force the attacker to give up the identity of the slimebags who hired them.

How to Respond to an SEO Attack

Apart from satisfying your own paranoid suspicions, it really doesn’t matter if you’re deliberately being attacked. You’re unlikely to be able to take any meaningful action against the other company, since finding evidence as to who it is is going to be really difficult.

I have a client who’s getting a handful of these kinds of links recently, but not enough that I think it’s an attack on them at the moment. I think this particular client is just collateral damage in an attack on someone else, and pages with their info are getting scraped up along with whatever else the attacker is using to build out their spammy pages.

I have another client who’s a local business, and they have 4 major competitors. Analyzing the backlinks to those competitors, there’s a TON of overlap in the bad links to 3 out of the 5 competitors. The other two: one has just a half-dozen really bad links, and the other has about 20 really nasty Russian porn sites linking to them. Here, most likely what’s happened is that the bad dog in the bunch has built (and immediately disavowed, of course) a handful of links to their own site as well, so they don’t look super-guilty.

So what do you do? Most of those spammy links are going to be ignored by Google, but which ones? The simple solution is just to disavow all the ones that are clearly crap, REGARDLESS OF THE LINK STATUS.

So:

  • Disavow the toxic domains that are still active (of course!)
  • Disavow the dead domains (either DNS lookup fails, or site returns a 500/502 error)
  • Disavow the domains where the links have “dropped off” the page
  • Disavow the domains where the links are nofollowed

Why disavow domains where the links are nofollowed? Shouldn’t those be ignored by Google anyways? Probably…but I believe I’ve seen a case where a client’s site had a keyword-specific algorithmic penalty caused by a ton of blog comment spam links with that anchor text. If the links were ignored anyways, then disavowing won’t hurt anything.

Then, review your new backlinks again each week, until the nastiness seems to stop. Just keep adding those links to the disavow file.

As a Raven Tools editorial note, we’ve seen webmasters identify competitors attacking their site with toxic links. The webmaster attempted to start a dialogue to get it to stop. When that failed, we’ve seen webmasters live by the eye-for-an-eye approach. We don’t recommend attacking others, but just know that you have a variety of options when facing negative SEO spam attacks. Negative SEO is literally attempting to harm the livelihood of innocent marketers and business owners. Its unacceptable and hopefully Google will learn how to ignore more and more valueless links so negative SEO can be a thing of the past.