A while back I uncovered a new type of undetectable negative SEO, which involved the canonical tag. Search Engine Journal covered it in a post here. I thought that as a result of bringing it out in the open that Google would somehow fix the problem. However, based on a conversation I had today with a victim of canonical tag negative SEO, it appears that recent changes that Google’s made may have further exacerbated the problem.
I suspect that Google has changed some of the ways that they handle cross-domain canonical tags. This has become apparent because of the conversation I had with someone whose site has been attacked by canonical tag negative SEO. The attacker was able to steal the website’s search engine rankings for a popular keyword phrase, replacing their page simply by copying it and putting it on the other site along with a canonical tag. There may have been some other things that were done in the process, but the attacker essentially copied the victim’s content, put it on another domain, and took their rankings.
A Twist on Canonical Tag Negative SEO
Note that while what happened was not necessarily negative SEO, I does involve stealing an established site’s rankings and the canonical tag. So, I’m going to refer to it as “canonical tag negative SEO”. With negative SEO, the goal typically by the attacker is to simply make a site’s rankings and traffic go down. But in this case, the attacker actually replaced rankings with their site by copying the content of the victim.
Example of Negative SEO
Here’s that this canonical tag negative SEO victim told me, in his words. Due to the nature of what he told me, I have removed some of the details that are specific to his site, as he doesn’t currently want his site revealed:
“I am being attacked by this type of negative SEO – but with a Twist.
So the Attacker put a exact Copy of one of my Blog Posts on a Hacked Domain with loads of spammy Backlinks. The Blog Post they copied was one of my most visited URLs. I notice a very very big decrease in Traffic since that happened.
But here comes the Twist:
Google Deindexed my original URL and is now ranking the Attackers Copy of the Post instead. When checking my URL in the Search Console it says: “Duplicate, submitted URL not selected as canonical” and “The URL selected by Google as the authoritative version of this page. Other versions can be served in search results, depending on factors such as the user’s device type or language. This is not available in the live test, as Google selects a canonical URL only after a page is indexed.”
The “User-declared canonical” is still my original URL but the “Google-selected canonical” is the hacked Website.
Isn’t that crazy?! Google just decided to select a hacker website, with copied content, that redirects to Gambling Content as the correct canonical Version of my Site and is now sending my Traffic to them. The copied Version of my Site isn’t even on there anylonger as they now redirect to a Gambling site.
They do only rank for the Keywords of the particular Blog Post of mine they copied. And the rest of my Site lost 80% of its Traffic ?.
I requested Indexing of the proper URL in the Search Console – it has now been 4 days and nothing happened.
He went on to say that negative SEO with canonical tags was new to him, but my previous post was the only one that really was close to what he was experiencing.
“Negative SEO with canonicals was New to me and i would have never thought that Google just selects other Domains as the “correct” canonical Version.
Here is a Screenshot of what this looks like in the Search Console:”
The big problem here is that the attacker was able to fool Google. The attacker was able to convince Google to choose their URL as the proper URL. When the victim goes into Google Search Console and uses the Inspect URL tool, it says “Duplicate, submitted URL, not selected as canonical”. Furthermore, when the victim looks at the links to his site in Google Search Console, all of the spammy, bad links that point to the attacker’s website are shown, as if they are pointing to the victim’s website. They’re not, but because Google has been fooled with cross-domain canonical tag(s), the links show up as if they’re pointing to the victim’s website.
The victim told me that “since they are the Google Selected Canonical Version of my site it shows all of their spammy Backlinks in my search Console as if those links were pointing to me. More than 70k Spammy Backlinks are shown in my Search Console.”
My theory is this what the attacker did. I confirmed with the victim that the site the attacker used was a site that was hacked (it is an authoritative site).
- The attacker stole the content from the victim.
- The attacker hacked into an authoritative site and placed the victim’s content on that site. The original canonical tag was on the content.
- The attacker allowed the stolen content to get crawled and indexed.
- The attacker then changed the canonical tag(s) to point to the stolen content on the hacked site.
- Google chose to index the wrong version of the site, removing the victim’s content from Google totally.
- The hacker updates the content, places a JavaScript redirect to a poker/gambling site on the stolen content.
- Victim sees a rankings drop, traffic drop, and checks Google Search Console. Sees the bad backlinks, discovers the negative SEO, and tries to request reindexing of his original content. GSC says they won’t reindex it.
- Attacker has successfully stolen the victim’s content and rankings via negative SEO involving a cross-domain canonical tag.
Again, this may or may not have been the exact order or procedure of how the attacker stole rankings from the victim. We do know that the content was stolen, and I have confirmed that by looking at the Google cache of the attacker’s page that is ranking currently.
Have you had something similar happen to you? Let me know, I’d be interested in hearing about it.
