7 September 2022
During the first week of August 2022, Rappler.com released an investigation of how toxic backlinks and spammy domains had been used since late 2021 to sabotage Rappler’s ranking online.
Qurium got access to the list of 5,000 URLs that contained suspicious backlinks to Rappler’s articles and other assets, such as images, and decided to try to identify who were behind some of those malicious domains.
We started by clustering the domains based on several infrastructure fingerprints including:
- Domain registration information
- Website hosting infrastructure
- DNS information including historical data
We managed to cluster 93% of the URLs into 16 categories. A big part of the malicious websites are hosted inside of services provided inside Google’s infrastructure (blogspot, firebaseapp, web.app etc). Another group of sites including toxic backlinks is formed by publishing services that have been abused (typepad, weebly, etc).
| 2776 | blogspot.com | 59.48% |
| 591 | firebaseapp.com | 12.66% |
| 446 | netlify.app | 9.56% |
| 271 | Behind_Cloudflare | 5.81% |
| 151 | 78.69.18.135_The_Globe.net | 3.24% |
| 144 | web.app (firebase) | 3.09% |
| 55 | 209.145.48.249_consciousbreathing.net (likely hacked domain @CF) | 1.18% |
| 49 | typepad.com | 1.05% |
| 35 | 213.202.241.219_thermodynamic1992_yandex | 0.75% |
| 30 | weebly.com | 0.64% |
| 30 | injesus.com_multiplesubdomains | 0.64% |
| 26 | appspot.com | 0.56% |
| 20 | 142.250.200.83_blogspot.com | 0.43% |
| 19 | wordpress.com | 0.41% |
| 17 | booklikes.com_free4reviews | 0.36% |
| 7 | vercel-dns.com_freetrial | 0.15% |
| 4667 |
We decided to ignore all domains hosted with Google to focus our analysis on clusters we could attribute directly to abusers. We identified some interesting clusters of bad SEO activity:
- Booklikes: a platform to make reviews of books and abused to create backlinks
- Injesus: a faith-based social media platform. Likely abused to create free subdomains.
- Vercel: free hosting. Likely abused.
- The Globe: A bad-SEO network?
The Globe
One specific cluster caught our attention as we linked more than 150 domains to “theglobe{.}net”. The Globe operates as an “advertisement” company where clients buy “backlinks” from hundreds of domain names or pay for the links to get removed. Yes, you heard right! The Globe charges for removing their toxic backlinks too!
The Globe is run by Jan Richard Genmar (49y) from Sweden.
At the time of this writing, only Paypal is offered as payment platform.
The 150+ websites with toxic backlinks are all hosted at 78.69.18{.}135 inside Telia infrastructure.
Abusing blogspot to amplify The Globe
During the investigation we also discovered that several blogspot.com websites are designed to advertise (backlink) to domains controlled by The Globe. In this example the domain strictlytechnology{.}blogspot.com includes the link “Add Link Web Directory” that points to hxxp://add-link.us/phpld/. The domain add-link{.}us is run by “The Globe”
The “Blogars” cluster
Another interesting cluster of domains used for black SEO is located in the IP address 142.147.105{.}19. We managed to identify more than 20 domains that offer a light-Wordpress with open registration. The sites are used for black SEO operations including toxic backlinking.
In the “Blogars” cluster we found several websites with backlinks to “The Globe” as riverfsepb{.}blogars.com
Backlinking to theglobe{.}net is so present that Ahrefs has indexed more than 10 Million backlinks to this domain alone.
How did we find the domains used for black SEO hosted at 142.147.105{.}19? During our research we found that the comments of a CNN blog “thechart{.}blogs.cnn.com” was abused by a spammer.
We looked into the domains used in the spam comment and bingo!
ageeksblog{.}com
atualblog{.}com
blog2news{.}com
blog-a-story{.}com
blogdemls{.}com
bloggadores{.}com
blogproducer{.}com
blogsidea{.}com
blogsmine{.}com
csublogs{.}com
daneblogger{.}com
idblogmaker{.}com
idblogz{.}com
imblogs{.}net
jts-blog{.}com
laowaiblog{.}com
qowap{.}com
rimmablog{.}com
vidublog{.}com
worldblogged{.}com
