Now that you know how to idenÂtiÂfy, preÂvent, stop and recovÂer from a NegÂaÂtive SEO attack, here’s a look toward posÂsiÂble future threats you should arm yourÂself to fight.
WelÂcome to the final installÂment of the NegÂaÂtive SEO series! Before we get startÂed on this look into the posÂsiÂble future, it is imporÂtant to note that –as with any progÂnosÂtiÂcaÂtion — this artiÂcle is going be heavÂiÂly opinÂionÂatÂed and will conÂtain a fair amount of speculation.
I base my expecÂtaÂtions about the future of SEO upon search trends that are curÂrentÂly only in their infanÂcy, so it’s imposÂsiÂble to say whether they’ll conÂtinÂue on the same trajectory.
AddiÂtionÂalÂly, I acknowlÂedge that some of these new attack vecÂtors might techÂniÂcalÂly already exist but they haven’t been testÂed by my team or by othÂer credÂiÂble researchers that I’m aware of.
The basis for the incluÂsion of such near-future attack vecÂtors is to proÂvide as much actionÂable inforÂmaÂtion as posÂsiÂble (for an artiÂcle about the future) and to avoid relyÂing on too-far-out predictions.
The first point I would like to make is that what worked yesÂterÂday is likeÂly to work tomorÂrow, and the next day, and the next, ad nauÂseÂam. So long as Google is relyÂing on data to decide where to rank a site, it will be posÂsiÂble for that data to be viewed either posÂiÂtiveÂly or negatively.
Thus, the more reliant Google is on a sigÂnal, the more difÂfiÂcult it will be for them to comÂpleteÂly nulÂliÂfy the effects of a bad actor attemptÂing to attack you by manipÂuÂlatÂing the data underÂlyÂing that sigÂnal. What we saw workÂing in the earÂliÂer artiÂcles of this series should occuÂpy most of your attenÂtion; the folÂlowÂing is what I expect may come to pass in the next year or three.
In keepÂing with our pracÂtice of simÂpliÂfyÂing SEO into the buckÂets of conÂtent, links, and user sigÂnals, we are going to approach the future negÂaÂtive SEO attack vecÂtors in the same manner.
Links
Social links from low-qualÂiÂty accounts. For the most part, social links don’t appear to directÂly impact rankÂings sigÂnifÂiÂcantÂly, though they are useÂful for link disÂcovÂery purposes.
In the future, howÂevÂer, Google may start to place a preÂmiÂum on who shares a link, espeÂcialÂly with verÂiÂfied accounts; in this sceÂnario, havÂing links to your site shared out by known bot netÂworks may result in an adverse reacÂtion simÂiÂlar to the earÂly link penalÂties relatÂed to bad web neighborhoods.
SeekÂing out toxÂiÂcÂiÂty. One tacÂtic that bad actors someÂtimes use is to place outÂbound links on toxÂic webÂsites, hopÂing to assoÂciate their tarÂgets with these known ill-reputÂed players.
Now that link tools like SEMÂrush / LinkReÂsearchÂTools / MajesÂtic and othÂers make disÂavow files and othÂer toxÂiÂcÂiÂty data availÂable through their APIs, attackÂers could be more effiÂcient in ensurÂing that time spent accruÂing bad links will yield a highÂer probÂaÂbilÂiÂty of resultÂing in a penalÂty. It’s only a matÂter of time before a bad actor syncs this data directÂly to their link spam tools for maxÂiÂmum effect.
Anonymous/fake press releasÂes. PlacÂing press release links, as a tacÂtic, still works for posÂiÂtive SEO. What I have not yet seen in the wild and expect to see at some point is a fake news push via the press. If an attackÂer subÂmitÂted a press release anonyÂmousÂly and purÂchased placeÂment via crypÂtocurÂrenÂcies, it would be relÂaÂtiveÂly easy to either highÂlight negÂaÂtive news or make up a stoÂry that is potenÂtialÂly damÂagÂing, simulÂtaÂneÂousÂly using rich anchor text in the links back to the tarÂget domain.
Such a tacÂtic would be harmÂful in two ways: first, it would potenÂtialÂly result in bad press rankÂing for key terms and secÂond, the tarÂgetÂed anchor text may trip an algoÂrithÂmic link penalty.
Using Google AssisÂtant to do bad things. This is a favorite of mine, insoÂfar as a potenÂtialÂly useÂful tool can be used for some truÂly awful things. In this examÂple, it is already a simÂple process to deterÂmine the majorÂiÂty of a competitor’s links via one’s favorite link research tool; then those links can be parsed through a WHOIS serÂvice, as we described in a preÂviÂous article.
FinalÂly, the future part: Google AssisÂtant, specifÂiÂcalÂly the Duplex feaÂture being released to some PixÂel smartÂphones next month, could be used to mimÂic a human, callÂing and requestÂing link removals to the webÂmasÂter conÂtacts, repeatÂedÂly. When this tacÂtic starts, it will be extremeÂly sucÂcessÂful and damÂagÂing. (Google says Duplex will idenÂtiÂfy itself as a non-human, but it remains to be seen whether that can be overÂridÂden in some way.)
Content
DupliÂcate conÂtent served through proxÂies. This is an old tacÂtic that I fear may return soon. The way the tacÂtic works is a proxy gateÂway site is set to index and effecÂtiveÂly crawl a webÂsite, makÂing and disÂplayÂing a copy of it. The reaÂson I fear it may come back is because Google appears to be makÂing a conÂcertÂed effort to focus more on entiÂties and less on URLs.
URLs help us to disÂtinÂguish real vs fake on the web, help us to underÂstand underÂlyÂing techÂnoloÂgies being used, a site’s strucÂture, and so much more. If Google ultiÂmateÂly moves to drop URLs as it has been recentÂly sugÂgestÂed they’d like to do, one can expect this tacÂtic to be extremeÂly effecÂtive in robÂbing a site of its trafÂfic via dupliÂcatÂed conÂtent that an attackÂer has set up.
MisÂused AMP. AMP can be misÂused in mulÂtiÂple ways to cause conÂfuÂsion among users and webÂmasÂters alike, but with regards to negÂaÂtive SEO, the simÂple method is to creÂate an AMP site with bad conÂtent and use the rel=canonical tag to conÂnect it to a tarÂget site.
In this case, bad conÂtent can simÂply mean conÂtent that is an 80% texÂtuÂal match to the tarÂget page’s conÂtent, except with more keyÂword stuffÂing and adult phrasÂes designed to trigÂger Safe Search.
InjectÂed canonÂiÂcals. In the same way that an attackÂer can inject conÂtent onto a site through a hack or techÂniÂcal misÂconÂfigÂuÂraÂtion, a bad actor may impleÂment a PWA (proÂgresÂsive web app) and assoÂciate the PWA with a tarÂget domain, via the hack.
If propÂerÂly cloaked to the webÂsite ownÂer, the PWA could appear as a norÂmal brandÂed PWA, but it would just so hapÂpen to steal cusÂtomer inforÂmaÂtion or othÂerÂwise cause repÂuÂtaÂtionÂal probÂlems. SimÂiÂlar to the PWA-injectÂed conÂtent probÂlems, a bad actor could also tweak AMP and hreÂflang setÂtings in an attempt to cause incorÂrect indexÂing issues.
GDPR comÂplaints as a serÂvice. This will almost cerÂtainÂly be a probÂlem in Europe. The attack would work by seekÂing out rankÂing pages that conÂtain a person’s name and then ficÂtiÂtiousÂly filÂing GDPR comÂplaints in bulk, as an attempt to have the pages removed.
This is an extenÂsion of simÂiÂlar attacks that have existÂed for years in the U.S. with the DigÂiÂtal MilÂlenÂniÂum CopyÂright Act (DMCA), which were very sucÂcessÂful up until quite recently.
User signals
KnowlÂedge graph, rich snipÂpets, reviews and othÂer Google propÂerÂty listÂings. It is already curÂrentÂly posÂsiÂble to inunÂdate Google hostÂed feaÂtures with negÂaÂtive reviews and incorÂrect inforÂmaÂtion, which result in a waste of time for a webÂmasÂter. HowÂevÂer, I can foreÂsee a future where this is done far more aggresÂsiveÂly, by rentÂing the use of senior Google reviewÂer accounts to do a variÂety of things:
- MarkÂing busiÂness listÂings as closed (repeatÂedÂly).
- UpdatÂing addressÂes to known spam addresses.
- UpdatÂing webÂsite listÂings to point to a competitor.
- UpdatÂing existÂing links to valid yet incorÂrect pages.
Google trusts its seniorÂiÂty process for makÂing changes, and, like the Wikipedia ediÂtor comÂmuÂniÂty, once it is sufÂfiÂcientÂly infilÂtratÂed with bad actors, it becomes difÂfiÂcult to trust.
3rd parÂty review sites [serchen, G2 crowd, etc]. This attack vecÂtor works in two difÂferÂent ways. First, havÂing a sigÂnifÂiÂcant numÂber of bad reviews is probÂlemÂatÂic as it curÂrentÂly reduces the amount of trafÂfic that would origÂiÂnalÂly come from such sites. AddiÂtionÂalÂly, what will start to hapÂpen fairÂly soon is we will see the most negÂaÂtive listÂings ranked with aggresÂsive link spam.
Not only do peoÂple tend to pre-judge the qualÂiÂty of a serÂvice or prodÂuct by relyÂing on 3rd parÂty reviews, but the more first-page rankÂings that are comÂprised of bad reviews, the more likeÂly the tarÂget domain is going to be ignored and thus receive fewÂer clicks.
Mass flagÂging in Chrome. As Google relies more and more on its own prodÂucts for user sigÂnal trust, attackÂers will also start to place more emphaÂsis on those prodÂucts to manipÂuÂlate the sigÂnal. One such way has to do with reportÂing malware.
CurÂrentÂly, if enough malÂware webÂsites are 301 rediÂrectÂed into a domain and are reportÂed through Google’s genÂerÂal feedÂback form, there is not insignifÂiÂcant chance the tarÂget domain will be listÂed with a malÂware warnÂing. With Chrome the potenÂtial may even be highÂer, as an attackÂer could flag both the tarÂget and recipÂiÂent domains of the malÂware rediÂrect, at scale.
In my opinÂion, this would be excepÂtionÂalÂly effecÂtive and likeÂly result in the attacked domain being flagged and not viewÂable to the 80% of the web that uses Chrome browsÂer by default. TechÂniÂcalÂly, because this conÂcept uses links, we could also include it in the preÂviÂous section.
Junk trafÂfic through AMP. High levÂels of junk trafÂfic pushed through the accelÂerÂatÂed mobile pages (AMP) verÂsion of the site is already done to misÂlead webÂmasÂters by proÂvidÂing a view of incorÂrect user intent which results in wastÂed time optiÂmizÂing for potenÂtialÂly incorÂrect pages, terms, and needs.
It has othÂer negÂaÂtive impacts if conÂtinÂuÂousÂly scaled, by purÂposeÂfulÂly sendÂing bounce trafÂfic through the non-AMP verÂsion and linÂgerÂing trafÂfic through AMP whereÂin one may incorÂrectÂly assume AMP is a good soluÂtion (it isn’t). If an attackÂer was lookÂing to accelÂerÂate the demonÂeÂtiÂzaÂtion of a pubÂlishÂer site, this is one such method I expect we’ll see.
More sophisÂtiÂcatÂed DDoS attacks. This is an almost cerÂtain tacÂtic to be employed and is based on trigÂgerÂing servÂer-side local JavaScript and natÂuÂralÂly slow pages due to expenÂsive queries.
GivÂen that hosts have emphaÂsized improvÂing CPU perÂforÂmance and the abilÂiÂty to auto-scale when trafÂfic is high as a proxy for deterÂminÂing servÂer load, a more effiÂcient attack will evolve whereÂin solvÂing trafÂfic-relatÂed DDoS won’t matÂter as the attack vecÂtor shifts towards attackÂing slow servÂer-side scripts and the dataÂbase by repeatÂedÂly loadÂing speÂcifÂic URLs which conÂtain uncached SQL queries, resultÂing in hung SQL queries and thus a slow, if not incaÂpacÂiÂtatÂed website.
Conclusion
This conÂcludes our series on negÂaÂtive SEO. As we set out in the beginÂning, it is my hope that you now have a firm underÂstandÂing of what it is, how it works, how to proÂtect yourÂself, how to stop an attack, how to recovÂer from it, and can now keep an eye to the future on what negÂaÂtive SEO may look like in the years to come. I would like to thank Andrew Evans for corÂrectÂing my numerÂous gramÂmar mishaps and Debra Mastaler for transÂlatÂing my search engine thoughts in human on a monthÂly basis.
