Alexa Search Offers Online Crooks a Helping Hand

I’m considering re-naming my site to CSI: Interweb as this is the second recent article on the topic of thievery. Both have been based on evidence that I’ve uncovered via my server logs.

The first episode was mild compared to this one. This thief is at least semi-professional, but still left behind too much evidence to be called a pro.

This type of theft will only affect you if you are selling a digital product. I discovered it when I found the following entry in my server logs:

United Kingdom
user-5445ed87.lns4-c13.telh.dsl.pol.co.uk (84.69.237.135)
www.ninjablogsetup.com/HIDDEN.php
www.alexa.com/search?q=%22Thank you for your order%22 link&page=7&count=10

I hide the actual URL of my page that they landed on. Not because it exposes me, in my case it was only a page telling people who had signed up for my service to check their email, but because I have conversion tracking on that page and everyone that visits it is tracked as a conversion, so I don’t want y’all to visit and send my conversion rate through the roof.

Here’s the deal. If you follow the link to Alexa search results on the bottom of the log entry, you’ll see that the searcher was searching for pages that contain the phrase: “Thank you for your order”

If you click through to some of the results of this query, you’ll find the secret download links for many digital products!

Please don’t download them, that’s stealing and terrible karma. You’ll be telling yourself that you cannot afford to acquire what you want in a legitimate manner, which will re-enforce poverty in your life. Really bad idea. My intent is to educate and show Alexa and digital product creators a loophole in their systems, not to provide an key to theft.

How Is This Possible?

After seeing the intrusion, I checked and my page was not indexed in Google. Which makes sense as it has a “no index, no follow” meta tag on it, but obviously the thieves have discovered that Alexa apparently is still indexing pages with a “no index” meta tag on them.

That’s a serious security loophole thanks to the folks at Alexa (owned by Yahoo! Amazon). I guess we know what the exclamation mark in Yahoo! stands for.

Updated: Thanks to Mindanao Bob for catching my mistake … sorry Yahoo! luv ya.

Why A Semi-Pro?

Of course if dude from the UK was smarter he would have copy & pasted the link to my site into his browser rather than clicking on the Alexa search results page, that would have eliminated the referrer link in my logs from Alexa and I never would have discovered the intrusion.

I’m not sure if a specific request in a robots.txt file would prevent Alexa from indexing these pages. I will send a copy of this story to Alexa and see if they respond. If you ever have a page in Google that you don’t want in their index you can use their webmaster’s tools to remove it, I’ll have to check to see if I can find a similar service provided by Alexa.

The other solution for product sites is to not use an obvious thank you phrase; remove the “Thank you for your order” footprint.

Interesting how the same fantastic tool, a simple search engine, can be used equally well for creative and destructive purposes.


Post Tags:

Browse Timeline


Comments ( 2 )

Very interesting Jon! You are becoming a new kind of online detective.

I found it most amusing when you even got the details of the other guy’s C drive directory.

Andy W added these pithy words on Sep 06 07 at 1:35 am

Just a quick correction, I think you’ll want to change. Alexa is owned by Amazon.com, not Yahoo.

Mindanao Bob added these pithy words on Sep 09 07 at 6:11 am

Add a Comment


XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


Copyright © 2006-2010 Art of MoneySitemap

MT