Scammers snatch up expired domains, vexing Google

The web is a living thing — ever-evolving, ever-changing. This goes beyond just the content on websites; whole domains can expire and be taken over, allowing corners of the internet to become a little like your hometown: Wait, wasn’t there a Dairy Queen here?

For example, if TechCrunch forgets to pay its domain registrar, TechCrunch.com would eventually expire (on June 10, to be exact). At that point, some enterprising human could snap up the domain and do nefarious things with it. Now, if TechCrunch.com was suddenly red instead of green and sold penis enhancement pills instead of dicking around with great news and awful puns in equal measure, you’d probably figure out that something is up. But black-hat SEO tricksters are subtler than that.

When they seize a domain, they’ll often point the web domain to a new IP address, resurrect the site, restore it to as close as it can to the original and leave it for a while. When the IP address changes, SEO experts claim that Google temporarily “punishes” the domain by dropping it in the rankings.

This is called “sandboxing,” or “the sandbox period,” and during this time, Google puts the domain on notice. Once Google determines — sometimes erroneously —  that the IP address change underneath the domain was just part of a move from one web host to another, the theory is that the domain will start climbing in the rankings again. That’s when the new owner of the domain can start their sneaky business: Updating links to send traffic to new places for example, or keeping the traffic as it is and adding affiliate links to make money off its visitors. At the far end of the scamming spectrum, they can use the good name and reputation of the original business to scam or trick users.

Since the invention of PageRank in 1996, Google has been relying in part on the transferability of trust to determine what makes a good website. A site that is linked to by a lot of high-trust websites can, generally, be trusted. Links from that page can, in turn, be used as a measure of trust as well. Massively simplified, it boils down to this: The more links from high-quality sites a page has, the more it is trusted, and the better it ranks in the search engines.

You don’t have to dig deep to find examples of domains that, at first glance, look legitimate, but that have been sneakily shifted to another purpose.

While bad actors can take advantage of this fact, it’s also just something that happens on the internet — sites move from one host to another all the time for perfectly legitimate reasons. As Google’s Search Liaison, Danny Sullivan, pointed out when I talked to him about expired domains last week, TechCrunch itself has had a few changes of owners over the years, from AOL, to Oath, to Verizon Media, to Yahoo, which itself was bought by Apollo Global Management last year. Every time that that happens, there’s a chance that the new corporate overlords want to move stuff to new servers or new technology, which means that the IP addresses will change.

“If you were to purchase a site — even TechCrunch; I think it was AOL who bought you guys — the domain registry would have changed, but the site itself didn’t change the nature of what it was doing, the content that it was presenting or the way that it was operating. [Google] can understand if domain names change ownership,” Sullivan said, pointing out that it’s also possible for the content to change without the underlying architecture or network topography shifting. “The site could rebrand, but just because it rebranded itself doesn’t mean that the basic functions of what it was doing had changed.”

The buying and selling of expired domains

You don’t have to look far to find places to buy expired domains. Serp.Domains, Odys, Spamzilla and Juice Market are some of the most active in the business. (As a side note, I stuck a rel="nofollow" on all three of those links in the HTML of this article. They ain’t getting TechCrunch’s sweet, sweet link juice on my watch; as Google notes in its developer documentation; “Use the nofollow value when … you’d rather Google not associate your site with … the linked page.”)

A screenshot from Serp Domains, which lists around a hundred sites for sale, noting that “aged expired domains are not affected by the sandbox effect.” The company lists prices from $350 to $5,500, with original registration years ranging from 1998 to 2018. Image Credits: Serp Domains

“Get expired domains that have naturally gained (almost impossible to get) authoritative backlinks since they were actual businesses,” Odys advertises on its site, adding that they “are aged and out of the sandbox period by a mile, [and] already have organic, referral & direct, type-in traffic.”

These domains are listed for sale for anything from a few hundred bucks to thousands of dollars. Seeing the sites disappear from the “for sale” list and then pop up on the internet shows that some of these domains end up ethically dubious at best and scams at worst.

It’s pretty easy to determine why so-called “black hat SEO” folks are willing to go through all the trouble: Building a domain from scratch, filling it with high-quality content, waiting for people to link to it and doing everything by the book takes for-flippin’-ever. Finding a shortcut that shaves months, if not years, off the process and adds the ability to make a quick buck? There will always be people who are willing to go for that sort of thing.

“Google has named inbound links as one of their top three ranking factors,” explained Patrick Stox, a product adviser at Ahrefs. “Content is going to be the most important, but your relevant links will provide a strength metric for them.”

What the spammers are doing

The spammers buy a domain that was recently expired and use a search engine optimization (SEO) tool like Ahrefs to gauge how valuable the site is; it checks how many links are going to the site and how valuable those links are. A link from TechCrunch or the BBC or WhiteHouse.gov would be highly valuable, for example. A link from a random blog post on Medium.com is probably less so.

Once they’ve found and bought a domain, they’ll use something like the WayBack Machine to copy an old version of the site, stick it on a server somewhere, and — voila! — the site is back. Obviously, that’s both trademark and copyright infringement, but if you’re in the market of spamming or scamming, that’s probably the least of your crimes against human decency, never mind the letter of the law.

Over time — sometimes weeks, sometimes months — Google un-sandboxes the domain and is effectively tricked into accepting the domain as the original. Traffic will start picking up, and black-hat SEO wizards are ready for the next phase of their plan: selling stuff or tricking people. There are whole guides for what to do next in order to use these domains, including checking whether there are trademarks registered and redirecting either the full domain or specific pages on the domain using a so-called 301 redirect (“moved permanently”).

“When a site drops off the internet [Google is] just going to drop all the signals from the links. That typically happens anyway when a page expires. Where it’s more complicated is going to be whether any of those signals will come back for a new owner. I don’t think [Google has] ever really answered this in a very clear way,” Stox explained. “But if the same site with the same type of content — or very similar content — comes back, it is more than likely the links are going to start counting again. If you were a site about technology and now suddenly you’re a food blog, all of the previous stuff will likely be ignored.”

As with all things in SEO, however, not everything is cut and dried; it turns out that negative signals continue on expired domains, so it stands to reason that positive signals do, too.

“It’s interesting because sometimes penalties will still carry over, regardless of the content of the new site,” Stox said. “So certain things may still factor in. There’s a giant list of Google penalties — such as backlink spam, content spam, paid links, etc. They can carry on to the new site, and sometimes people will buy … an expired domain and put a new site up. Nothing is ranking, and on closer inspection, they’ll find a penalty set in inside Google Search Console.”

Sullivan reassured us that the search engine giant knows what’s going on and that it has a handle on things.

“It’s not just fair to say that all purchased sites are spam and that they, therefore, should be treated as spam,” said Sullivan, pointing out that the company’s robust spam filters are there to protect searchers. “When actual spam happens, we have a whole ton of spam-fighting systems we have in place. There are millions and millions, if not hundreds of millions of [pages and sites] that we’re constantly keeping out of the top search results. One metaphor I like to use for people to understand just how much work we do on spam is this: If you go into your email spam folder, you go, ‘Wow, I didn’t see all these emails.’ That is stuff that existed but didn’t show up because your system said, ‘No, this isn’t really relevant for you. This is spam.’ That’s what’s happening on search all the time. If we didn’t have robust spam filters in place, our search results would look like what you see in your spam folder. There’s so much spam and our systems are in place to catch it.”

There’s no doubt that Google does a lot to defend us from spam, and yet there’s a thriving industry for high-value expired domains that are available, whether for honest attempts at corner-cutting or more nefarious deeds.

A thriving industry

You don’t have to dig very deep to find examples of domains that, at first glance, look legitimate, but that have been sneakily shifted to another purpose. Here are a few I came across.

One example is the Paid Leave Project, which used to live on paidleaveproject.org, but moved its site to USpaidleave.org at some point. Unfortunately, someone at the org didn’t renew and/or redirect the old domain, and the site that used to work hard to ensure that workers in the U.S. can get paid family leave is now, well … helping families grow in different ways:

A screenshot of paidleaveproject.org, which now appears to be some sort of affiliate site for erectile dysfunction pills. Image Credits: paidleaveproject.org

Another tragic story is Genome Mag, which ran from 2013 to 2016, expired, and then came back online as a different magazine that the original owner doesn’t have control over.

Genome Magazine was a print and digital magazine. Its web domain expired and was acquired. The folks who now control the domain allegedly copied the old content. Image Credits: Sam Solomon

“Genome Magazine was a print and digital offering. When the magazine closed in 2018, the previous owner retained ownership of the trademarks, content, archive, etc. At the end of last year, we had the opportunity to buy the content back,” explained Sam Solomon, the creative director at Genome. “We went ahead with that, not realizing that sometime between 2018 and last year, the domain had expired, [been purchased], and the entire content archive of our content was put back up. They cloned the entire site and moved it to a new host. We didn’t know — for all intents and purposes, the content appeared the same; it seemed exactly as when we left it. We have spent months trying to regain control of the domain, unsuccessfully. It is hosted on Epik.”

Epik is a web host that is known for being a little laissez-faire about the pages it hosts, to describe it kindly. If we are less kind, we’d note that Epik hosts troves of neo-Nazi and white supremacist content, with a particularly outspoken CEO and a set of tools designed specifically for “backorder domains” — Epik’s term for snagging a domain as it expires.

“For us, the first step was to file a DMCA complaint with the host,” said Solomon, referring to the process of filing a copyright complaint with a web host. For most professional hosting companies, these are processed in three to five days. “We have not had any response … even after providing what they asked; all the legal paperwork and all that sort of thing. The next step is probably to go the legal course. My understanding is that a DMCA notice should be taken fairly seriously. Especially when it could be hundreds of instances of copyright infringement. Yeah. So hopefully there’s a resolution. I just don’t quite know what that is.”

When the site popped back up, it included a few hundred pages of the original content, which the team said was insulting enough. Worse, the content was now monetized with advertisements that the original Genome team is rather uncomfortable with.

“We built this beautiful media company with award-winning content and a great magazine. We invested a lot … a website that resonated with folks, and we had a quarterly magazine, so we also put a lot of original content on the site. The site was ranking really high on Google,” explained Susan McClure, founder and publisher of Genome Magazine. “The content was still there. And then we discovered these ads on there that we never would have allowed. When I visited our site recently to revisit a story we had published about privacy protections around our DNA and the identifiable information contained within it, I was shocked to see ads about infidelity and toenail fungus.”

The advertisements now on the Genome Magazine website are a little out of place on a site about genomics, and embarrassing to the authors of the articles; their names remain attached to articles that were allegedly copied without permission and slathered in uncouth advertising. Image Credits: Genome Magazine

The new owners of the Genome domain did not respond to multiple attempts to contact them for an interview.

Genome’s story is unfortunate. Letting a domain expire is, ultimately, the responsibility of whoever is in charge of renewing the domains. It is having a profound effect on Genome as a business (and, of course, the alleged copyright and trademark infringement is problematic), but in a broader sense, it’s a challenge for Google. If sites are ranking well on the reputation of the old owners, it can erode the trust people have in Google as a search engine.

I asked the team at Ahrefs to share the data they have about TechCrunch, to get an idea of the type of information that is available. There are dozens of screens and filters. Interestingly, Ahrefs doesn’t have software installed on TechCrunch’s servers, so everything you see here is coming via their own data sources. Among other things, Ahrefs estimates that TechCrunch is the 319th most visited site in the world and has half a billion inbound links from more than 1.1 million different domains. Image Credits: Ahrefs

If Genome and the Paid Leave Project were the only issues here, it would be concerning, but isolated. However, there are hundreds of examples of sites that Ahrefs data suggests are ranking well and serving advertisements. Here’s a small selection:

  • The shuttered Farr Institute, which used to be a nonprofit run by the University of Edinburgh, was replaced with a site that sells hair growth treatments and growth hormones.
  • Choices in Childbirth outlined the options expecting moms have for their birthing experience. It lapsed at some point, and even today it passes a quick-glance inspection, but one scroll down leads to links about dubious health supplements.
  • Maine Quality Counts (mainequalitycounts.org) was a real project back in the day before it was acquired. It seems that the old site expired at some point and the new owners changed the name to Maine Equality Counts — MEC. Clever! On cursory inspection, the site looks legit, but now it is used to review telemedicine and health care plans, and the “doctors” writing for the site are either not real or all moonlighting as stock photography models.
  • Cambridge Wellbeing (cambridgewellbeing.org) was once a site helping build a hub within Cambridge University for the scientific study of well-being. Now it does sketchy reviews of nootropics, ADHD drugs and, you guessed it, erectile dysfunction drugs.
  • Rare Readmissions (rarereadmissions.org) used to be a nonprofit that tried to help hospitals reduce readmittance rates. When I started work on this article in January 2022, the site reviewed erectile dysfunction pills. Today, it redirects to Unified Pharma.
  • Decipher Impact (decipher-impact.com) used to be a site that campaigned for people to stop smoking. The org changed its name to Evidence to Impact and the old domain lapsed, with a spammer jumping into the breach to take over.
  • SeaRanchLodge.com is the only example I could find that goes about things in a more ethical way; it writes that the Sea Ranch Lodge was closed in 2019, and then goes on to review cookware and uses affiliate links to make money. It’s an example of one of the few “legitimate” ways of doing this — the operation takes advantage of the domain authority the site had in its previous life, but also helps customers who might be looking for the Sea Ranch Lodge by telling them it’s no longer open.

MEC has three doctors listed, but none of them have LinkedIn profiles — pretty unusual for serious medical professionals. In addition, they all were models for stock photography at some point. Say hello to Verona, Ray and Ramon, on Alamy, Shutterstock and Adobe Stock, respectively. Image Credits: MEC

Why this is such a problem

I can’t help but feel that it’s particularly unfortunate that the above activities are possible — and that the sites are relying on search engines and direct-link traffic from unsuspecting site visitors. Meanwhile, Google continues the fight against the myriad ways that people are trying to trick the search engine into sending traffic their way.

“Over the course of the year, we do about 5,000 updates to how search operates. On any given day, we could have one, two, or more that are happening. And some of those may improve the ways that we try to better catch spam. But we also have some really major [changes],” Sullivan explained, pointing out that the search engine long ago made a significant change to how it treats expired domains.

“If someone brings back a site that operates and looks just like [it] did before, hopefully our systems are still going to work well enough that we’re not going to be showing new content or content that isn’t as good as it can be,” Sullivan said. “One challenge you might have is if the site was there before and had really good content, it might still be helpful content. If they create a new page on the site about something completely different, that new page still has to work on its own. Our systems are designed on a page-by-page kind of basis. Just because you create this new page and put it up on some new site, it’s a new page, and it’s got a new URL we have to understand it on its own merits.”

In addition to the power of its brand, trust is the only thing Google has. When you do a Google search — it’s a verb, for goodness’ sake — you expect the company to return the best and most relevant results. PageRank only works if the “link juice” that is being passed from one site to the next is real.

It’s unknown — and probably unknowable — how many expired sites are out there. But I find it pretty incredible that Google isn’t cracking down harder. There are hundreds of “expired” sites being sold, for thousands of dollars at any given time, so it’s clear the black-hat SEO folks know something that Google doesn’t.

“[Short-term strategies are] referred to as churn-and-burn. That used to be a common thing, but you would hear more of this toward the earlier days of search engines. Doing all that is a lot of work; you can invest all that time, then do it again and do it again and do it again, or you can do it right from the beginning and not have to keep doing it,” Sullivan said. “Users want to find good content — that’s why we publish our advice and say, ‘These are the things to do if someone has got legitimate ideas and has a business they want to get started with and they want to be successful.’ I would be concerned that they might look at something like this and think, ‘Oh, I guess I should do that,’ without realizing that this is not the long-term path that they should be following.”

It may well be that expired domains aren’t a legitimate method for building a long-term business, but Sullivan is onto something here. The folks who do this type of black-hat SEO simply don’t care. Sure, perhaps this only works in the short term, but when the spammers are raking in the cash, maybe that’s all they need.

“I’ve been doing this for many years, and Google never grows wise to it,” said Jeremy, a black-hat SEO expert who spoke to me at length for this article and asked to withhold his last name to secure anonymity. “It would be so easy for Google to look at the domains that are for sale and then blacklist them. Somehow, they never do, and so my business continues as it has done.”

The cat-and-mouse game between Google and those seeking to manipulate the search results continues apace. If you come across a site that appears to be spam, there’s a page you can use to report it. “Hopefully, you’ll find it if you search for ‘report spam to Google,'” Sullivan noted drily.