Analysis of a Domestic Website Compromise and Its Abuse for Black Hat SEO Activities

During the analysis of a website, I tested the content served to different User-Agent identities. Special attention was given to the server's response when accessed using the Googlebot User-Agent, a common technique for identifying SEO spam compromises.

The analysis confirmed that the website serves different content to crawlers than to regular visitors, which is a strong indicator of a compromise associated with an SEO spam campaign.

Methodology

I identified the analyzed website through OSINT research using Google dorking techniques and keywords commonly associated with SEO spam activity across domestic TLDs, with the goal of discovering potentially compromised domains.

Since SEO spam campaigns frequently serve different content to search engines than to regular users, I performed additional verification by simulating requests from Google's crawler using the Googlebot User-Agent.

For this purpose, I used the curl utility to send a request identical to one that would be generated by Googlebot:

curl -A "Googlebot" https://example.rs/ > proof.html

curl -A "Googlebot" https://example.rs/ > proof.html

The retrieved HTML content was then analyzed to identify anomalies, external references, generated URLs, and other indicators of compromise.

Findings

1. Cloaking Technique

The server returned content that significantly differed from the website's expected content.

Instead of legitimate website content, the response contained a complete Japanese e-commerce page.

This behavior is characteristic of an SEO cloaking technique, where search engine crawlers are presented with content different from what regular users see.

2. Japanese SEO Spam

The HTML document contained elements such as:

<title>電子 ドラム 卓上 ROLAND TD-11K-S V-Drums 電子ドラム マイクスタンド付き</title>

<title>電子 ドラム 卓上 ROLAND TD-11K-S V-Drums 電子ドラム マイクスタンド付き</title>

I also identified numerous pages following patterns such as:

/products/73c4751431407
/products/4fcab51431501
/products/0e7e351645701

/products/73c4751431407
/products/4fcab51431501
/products/0e7e351645701

These findings indicate the presence of mass-generated spam pages designed specifically for search engine indexing.

3. Use of Content from a Japanese E-Commerce Platform

While reviewing the retrieved HTML content in a browser, I observed images of Japanese products, including electronic equipment and various consumer goods.

Within the HTML source code, I identified references to:

komeri[.]com

komeri[.]com

which is a Japanese e-commerce platform.

It appears that the attackers leveraged an existing template or content from this platform to generate a large number of fraudulent pages on the compromised domain.

Possible Compromise Vector

The initial compromise vector cannot be determined with certainty based on the available evidence. The most likely scenario involves exploitation of a vulnerability in the CMS platform or one of its plugins, allowing attackers to inject malicious code and SEO spam content.

Other possibilities include abuse of .htaccess configuration rules for User-Agent-based cloaking or dynamic retrieval of malicious content from external servers.

Recommendations

To reduce the risk of future compromises, I recommend implementing the following security measures:

Deploy a Web Application Firewall (WAF)
Restrict access to administrative interfaces
Enforce Multi-Factor Authentication (MFA)
Regularly update the CMS platform and all installed plugins
Implement file integrity monitoring
Periodically review domain status in Google Search Console
Utilize automated malware scanning solutions

Conclusion

By analyzing the content served to the Googlebot User-Agent, I confirmed the presence of a Japanese SEO spam campaign on the analyzed domain.

The available evidence points to a cloaking setup where search engines were shown auto-generated pages imitating a Japanese e-commerce site, complete with product-style images, keyword-heavy titles, and a large set of dynamically created URLs. This strongly suggests the domain had been taken over and repurposed for Black Hat SEO activity. However, without a deeper technical inspection of the server environment, application code, access logs, and configuration settings, the exact origin of the compromise cannot be confirmed.