Dixons Stores Group - Mass Spamming Engines

32 comments
Source Title:
SECURITY UPDATE: Are Dixon's Dirty Spammers ?
Story Text:

UPDATE

It become apparent during discussions of this "SEO done badly saga" that a bad piece of SEO can give rise to horrendous security problems.

The script that I originally identified as a bad SEO tool worked on the basis of a paramater in the URL being the keywords that you want a page generated for.

Unfortunately not only was this a poorly conceived SEO campaign but also a dangerous one as the script itself was terribly written and did not check nor validate input. This means that a carefully constructed URL would allow cross site scripting attacks to take place.

A hypothetical situation (that potentially may have already taken place) is one where you receive an email from what purports to be from The Link offering an amazing deal on a cutting edge mobile phone. You simply need to click the link in the email and off you go to purchase that great phone at a great price.

But as you are a clever, savvy and intelligent person you decide to undertake some good basic security checks to make sure that you are not the victim of a phishing attack. You check the URL and see that it is indeed from within the legitimate www.thelink.com site.

Because you have checked and verified the authenticity of the link you proceed to the site fill in your name, address, credit card and CVV number along with your mother's maiden name and date of birth as a security measure.

Unfortunately the browser has had the contents of its document object model rewritten and although the browser says you are on a page at www.thelink.com and indeed you actually are, the content is being servered from some nefarious rogue gangster intent on stealing your identity, your credit card details.

Thankfully and sensibly the Dixons Group have taken this page off of their site, but the question has to be asked - Why on earth was a company like DSG, with the greatest brand in electronics in the UK undertaking terribly conceived and dangerously implemented attempts at SEO that may well have cost many people lots of money, hassle in opening them up to potential fraud?

As the page has now been taken down I have included below links to some of the screenshots that Threadwatch members have taken (Thanks ChrisG)

Dixons spam image 1
Dixons spam image 2
Dixons spam image 3

Original Post

Much has been spoken about search engine spam. Google, Yahoo, and MSN all make their guidelines publicly available for anyone to see what is seen as acceptable (and what is not) in trying to optimise your site.

Anyone who operates outside the scope of those guidelines is effectively a search engine spammer. Someone who is trying to raise their site's profile in the engines using techniques the engine's themselves would prefer you didn't.

Now just because the search engines say they don't want you to do it, doesn't mean some techniques don't work in increasing your search visibility. Many webmasters the world over undertake tactics that the engines would prefer they didn't yet they still see an increase in their rankings because of it. Almost all of these webmasters understand that if they "live by the sword, then they die by it" and the site could be detected at any point in time and banned by the search engines forever.

Dixons Group PLC, a publicly traded company on the London Stock Exchange are the largest electronics retailer in the UK. They also have operations in other countries in Europe.

Dixons Group has more than 1,400 stores across the UK, Ireland, the Nordic countries, France, Spain, Italy, Hungary, Czech Republic and Greece.

It trades as Dixons, Currys, PC World and The Link in the UK and Ireland, Elkjøp in the Nordic countries, PC City in Spain, France, Italy and Sweden, UniEuro in Italy, Electro World in Hungary and the Czech Republic and Kotsovolos in Greece.

The Group specialises in the sale of high technology consumer electronics, personal computers, domestic appliances, photographic equipment, communication products and related financial and after sales services.

As a company they aren't doing too badly

Dixons main business is in the UK and they operate a few brands.

Whilst looking for a new Nokia 8800 mobile phone to buy (hey I am a Chav!) I stumbled across some shady spamming from The Link. It seems that Dixons Group think that their Link Store is a dirty spammer's den!

Upon further investigation it seems that every one of Dixons web sites in the UK have undertaken spam techniques the engines would not be happy with. Unfortunately for Dixons though whoever undertook them on their behalf either has extremely large balls or is very silly indeed.

Dixons Group I have some tips for you.

I do not suggest you identify your SEO efforts quite so blatantly.

Dixons.co.uk
Currys.co.uk
TheLink.com
PCWorld.co.uk

Think twice about how you use hidden links

I suggest that if you were to use hidden links, obviously not put there to assist a human searcher to navigate their way around your site and purely for a search engine, that you deploy some IP based delivery technology rather than CSS and JavaScript so humans can't see them once the page has been rendered by the browser.

Don't give away the opportunity to plead ignorance by stating in your code certain pages are for spiders only

tagVars +='&SESSIONVAR!CurrentPage=spider-page-half price line rental'
//-->

Don't give me the opportunity to say things like Expensive Useless Warranties on your site

And whilst you're at it don't put light grey text links on a white background, to these automated pages. At least use some IP delivery!

But most of all Dixons.......

Think twice before you undertake grey to black hat SEO, as I truly believe this is the case of a large company doing SEO badly.

Search Engine Optimisation is as much about understanding the risks to your search engine positions and your brand if it goes wrong, as well as knowing what works and what doesn't. Undertaking a dirty SEO campaign as you have done means you leave yourself open to be caught.

You're not a small company, you're not a stupid company, you're not a poor company. It appears that either you have outsourced your optimisation to a company specialising in PHP or an in house team and they have been tasked them with fixing the problems your session ids and other "SE Unfriendly" parts to your site have caused.

With respect to whoever did the work, and with greater respect to whoever made the decision to sign this work off, they either have balls of steel or are so ignorant of the goals and industry they wish to operate in that questions (from both a business and SEO point of view) should be asked.

I phoned the DSG press office and spoke to Kellyand then Ruth of their Corporate Communication team, after waiting and not getting a phone call back I have decided to post this topic. I tried to give DSG the right to reply but it seems other things were more pressing of their time.

Dixons, if you change your mind you know my number. I look forward to speaking with you.

Comments

Lots of fun adding your own phrases!

I like this one. Do a refresh and it generates new versions of the same theme:

sneaky search engine spam methods

Wow! A Black Hat Guarantee

If anything goes wrong with your sneaky search engine spam methods order, come back into any branch and we'll be happy to help.

So as it stands, when we're

So as it stands, when we're adding our own funny phrases, no-one will ever see them (i mean link customers not TW'ers)? That is unless you happen to copy the URL and paste it into the Google, Yahoo and MSN "add url" forms. That would be wrong wouldn't it?

Oh, and if you click on the links on the page, they'll be able to see that something is going wrong when they're getting this in their logs "http://www.thelink.com/?crap phones-offers"

Those pages (the links from

Those pages (the links from here, MAKE them pages) will be indexed.

I should add a thankyou to

I should add a thankyou to jason for taking time out to post a great thread, and to phone them first - im not bothered about Dixons, but it's polite ya know?

That's the type of post we need at TW now and again, a well thought out, serious bit of pseudo-journalism :)

Quick!

Call Ken McGaffin!

oh yeah...

..i did think about that. Do you imagine someone will be getting a P45 shortly for all this chaos?

No. If it makes it out of

No. If it makes it out of TW, then Google will either ban those specific pages, (rather than the whole site, as happens for us plebs) or ignore it entirely. After that, Dixons will call their Adwords rep, remove the stupid pages (or not, they don't always have to) and all will be well again.

I shouldn't think the SEO is in-house, though it's possible - p45, maybe, but i dont think so..

Brilliant catch Jason

Just for you
phones for chavs

need some extra backlinks ?

If you need some extra backlinks you can [url=http://www.thelink.com/link/the-link/link-mobile-phones.php?mobile-phone-type=%3Ca%20href='http://google.com'%20%3EClick%3C/a%3E]get them from there too[/url] haha..

[ my example goes to google ]

Arrrrghghgth!

Guys, please make your links, links! those huge urls just mean i have to go edit them so they dont break the pages :)

Actually web professor

Actually web professor that's bloody important. It's a huge security problem with XSS.

Try the following potentially dangerous (though safe atm) example.

OOps. Drupal and Nick are too clever by half - I can't give the example here.

I'll have to do this another way and explain the process. Think of the following.

The URL that you construct calls JavaScript that writes some further JavaScript to the page. The second JavaScript makes a call to a server under your control and returns back some code to rewrite the dom.

What you now potentially have is a page that is under the main domain of www.thelink.com and will (and is) legitimatlly on the DSG server, with a DSG URL and domain that could lead you to make a purchase entering credit card and other details.

If this was incorporated with a stupid price phishing email spam run for (let's say what I originally wanted) a Nokia 8800 imagine the credit card fraud that could occur from that!

If you need some extra

Quote:
If you need some extra backlinks you can get them from there too haha..

LOL. Brings a whole new meaning to "at The Link its easy...."

Indeed Jason

You have access to all the cookie info for a start, can insert code to call home ... this is not just numpty SEO its a potential security disaster waiting to happen :OS

I am getting a 404 right now, anyone else?

404 here too. Well done DSG

404 here too.

Well done DSG for taking the page down. Do you have time to comment yet ?

Yeah Jason..

I already tested that too. I used javascript alerts in my example. I didn't post it because I didn't think anyone would appreciate clicking that link.

It now redirects to

It now redirects to www.thelink.com

prepare for a lawsuit

Wouldn't be out of character for a corporation to slap you with a lawsuit for this.

bring it on..

bring it on..

Meta refresh?

"Refresh: 0;URL=HTTP://www.thelink.com"

You would think they would use a permanent to get some value out of those links we generously donated ;O)

I'm impressed

obviously someone noticed the strange referrals :)

Should have told that Phil Ringwhateva guy

... before they pulled it so he could see what real SE spam was.

Doesn't matter that they pulled it

Deed is done now ;O)

... or ...

Of course there's no chance that a Threadwatch reader was responsible ...

My mum could have been

My mum could have been responsible.

I'm impressed obviously

Quote:
I'm impressed

obviously someone noticed the strange referrals :)

It might have helped that I phoned them hours before this story going live and kept phonnig to get comments from them.

Still no word back. Come on DSG this is serious!

Rumour has it...

That there is a board meeting taking place right now...

btw, jason updated the original post - check it again..

probably

this is more to do with someone bright on the 'live chat' seeing strange referrals and asking someone also bright (enough to trackback, think "oh shit" and take the page down) on the web department what's happening.

I doubt that anyone actually went and asked someone at a level who's prepared to give an official comment at this stage, and they'll be home with their feet up by now.

Cache :

They were selling small children...

... on one of my forums the link had them selling small children. Dunno who could have posted such a terrible thing

Rebuilding the pages...

as static pages now.

As a slight side note. I

As a slight side note. I still haven't found a Nokia 8800, as I got sidetracked with other things. Does anyone have some recomendations?

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.