Hacking

When Hackers Turn Your Site Into a Traffic Farm

Published  ·  5 min read

Not every compromised website is used to steal data or deploy malware.
Many are repurposed quietly to generate traffic.
The site stays online.
Pages still load.
Customers rarely complain.
Behind the scenes, attackers use the site’s reputation, bandwidth, and SEO trust to drive traffic elsewhere or inflate their own networks.
Most organizations discover this, months later, often by accident.

Why Legitimate Sites Are Valuable to Attackers
Attackers want trust, not just access.
A legitimate site offers:
1. Search engine reputation
2. Clean IP space
3. Existing backlinks
4. User trust
Using your site as a traffic farm is safer than building infrastructure from scratch.

Common Ways Sites Become Traffic Farms
From real investigations, the entry points are predictable:
1. Outdated CMS plugins
2. Weak admin credentials
3. Exposed file upload endpoints
4. Forgotten staging environments
The initial compromise is rarely sophisticated.
The abuse that follows is deliberate.

Technique 1: Hidden Redirect Pages
Search engines see these pages, but humans never directly interact with them. Here's how this process works: 
1. In a hidden directory, create an SEO optimized page. 
2. That page will contain trending keywords, and will rank very high in a search engine. 
3. Once the visitor accesses that page, the visitor will be redirected to a fraudulent gambling or cryptocurrency website or possibly even an outright scam. 

Example: 
/blog/wp-content/uploads/2024/Bonus-Casino.html
The page is found through an Internet search, is indexed, and ranks very well, and once it's loaded the visitor will be redirected.

Detection Example
grep -R "window.location" /var/www/html
Unexpected client-side redirects are a common indicator.

Technique 2: Server-Side Redirect Abuse
Some traffic farms avoid JavaScript entirely.
They use HTTP redirects.
Observed Pattern
1. Authentic URLs had a response code (either 302 or 301)
2. Redirects only trigger for certain User-Agents
3. Users and crawlers are presented with different content types

Hunting Example
curl -I https://example.com/suspicious-page
Then compare with:
curl -I -A "Googlebot" https://example.com/suspicious-page
Different responses suggest cloaking.

Technique 3: SEO Spam Injection
The website is inundated with thousands of new pages, all of which follow a very generic template and are filled with keywords related to the following sectors:
1. Gambling
2. Pharmaceuticals
3. Cryptocurrency Giveaways 
4. False Reviews
Volume is prioritized over quality
Detection Example
find /var/www/html -type f -mtime -30 | wc -l
Sudden growth in page count often precedes traffic abuse.

Technique 4: Abuse of Sitemap and Robots Files
Hackers manipulate sitemap.xml and robots.txt files to get as many pages indexed by search engines as quickly as possible. 
Hacker patterns of modifying Sitemap and Robots Text Files in the Real World: 
1. Adding new Sitemap links to pages that lead to spam sites 
2. Increasing the frequency with which web crawlers are Crawling your website 
3. No evidence of visible changes made to your website

Verification Example
cat /var/www/html/sitemap.xml
Unexpected URLs in sitemaps are never benign.

Technique 5: Proxying Traffic Through Your Site
In advanced cases, the site becomes a relay.
Traffic passes through it to mask attacker infrastructure.
Seen In Practice
1. iframe-based forwarding
2. Reverse proxy rules
3. Cloudflare worker abuse
This makes takedown harder and attribution messy.

Commonly Used Toolsets for Attackers:
Traffic Farming does not require a unique set of malicious programs to be created.
Tools used for Traffic Farming Operations can include, but are not limited to, the following:
1. CMS Admin Panel
2. SEO Automation Framework
3. Simple PHP Redirect Script
4. .Htaccess Rule
5. CDN Configuration (Cloud)
Abusive Traffic Farming behaves like legitimate internet traffic.

Example: Identifying Abusive Traffic Farming Behavior In Log Files:
Logs will display traffic patterns based on Monthly Gross Income (MGI).
Log Entries That Will Indicate Abusive Traffic Farming Include:
1. Traffic spikes (numerous visitors) to pages with no one maintaining them.
2. Unusual diversity in referring sources.
3. Spikes in visitors from Search Engine Results (SERPS) with no corresponding conversions.

Example of Performing An Initial Analysis:
awk '{print $7}' access.log | sort | uniq -c | sort -nr | head

Abnormal Traffic Volumes to Unmaintained Pages Should Be Investigated Further.

Why Security Tools Often Miss This
Traffic farming does not trigger:
1. Malware alerts
2. Intrusion prevention systems
3. Authentication warnings
The site is working as designed.
Only intent is malicious.

Business and Operational Impact
Organizations underestimate the damage.
Real consequences include:
1. Search engine penalties
2. Brand association with scams
3. Blacklisting by partners
4. Increased hosting costs
5. Legal exposure
Cleaning up can take longer than the compromise itself.

What Is Actually Useful in a Practical Sense:
1. Performing regular file integrity checks
2. Checking for changes to the sitemap and robots
3. Setting up an alert for when there is a change in the redirect logic
4. Reviewing the top traffic pages on a monthly basis
5. Scanning for unexpected SEO related content
The integrity of content is equally as important as uptime.

Key Takeaways
1. Not all compromises are done with the intent to steal data
2. Traffic farming is a type of abuse of trust and reputation
3. SEO signals are typically the first indicator of abuse
4. To detect abuse, you will need to examine both the content and the behavior of the person committing the abuse
5. The clean-up process affects your company's reputation, not just the back-end of your website.

If you have a popular site, there will be people trying to make money off it.

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067