Imagine opening your morning Google Search Console report for your corporate portal and seeing a surge in impressions for queries like "Casibom güncel giriş," "Slot oyna," or similar Turkish gambling terms. Since your organization has nothing to do with online casinos, your first reaction might be to dismiss it as an analytics error. However, the reality is much harsher: your web resource has been compromised.
According to the ENISA Threat Landscape 2025 report, approximately 27.7% of analyzed data breaches and security incidents involve digital infrastructure and services. Attackers increasingly exploit corporate website vulnerabilities not for direct database theft, but for SEO spam, leveraging the trust associated with your domain. The appearance of such queries is a critical marker of an incident that requires immediate technological response, rather than simply deleting pages.
Anatomy of an attack: how casino SEO spam infects a resource
Google Search Central clearly classifies such content as hacked. The attackers' goal is to use the accumulated authority of a corporate domain to quickly rank spam pages in search results. The attack is typically implemented through two main techniques:
- Code injection: modification of existing server files or databases to add hidden links, text, or redirect scripts.
- Page injection: creation of new, unauthorized spam pages on the compromised site, which are often generated dynamically or uploaded to the server in bulk.
Why administrators see nothing: masking and cloaking
The main danger is that the attack can go unnoticed by the internal IT team for months. If a system administrator or client visits the site via a standard browser, they see the regular corporate content. This effect is achieved through cloaking technology.
Attackers configure the server to hide spam content from humans (by analyzing the browser's User-Agent) while displaying it to the Googlebot search crawler. Another common variant is conditional redirection, where a user arriving at your site from search results is silently redirected to a third-party gambling resource, while a direct visit to the domain displays the legitimate company page.
Diagnostics: initial symptoms of compromise in Search Console
It is important to understand that Google Search Console is not an Intrusion Detection System (IDS) or an antivirus, yet it is often the first to highlight the problem. Three key symptoms of a hack:
- Abnormal spike in impressions: a sudden appearance of thousands of impressions for gambling queries in the performance report.
- Rapid growth of indexed pages: the appearance of unknown directories or parameters in indexing reports.
- Security issues notifications: official warnings from Google about detected hacked content on the domain.
Step-by-step incident response algorithm
Mechanically deleting spam pages will not solve the problem: if the vulnerability or backdoor is not eliminated, the spam will return. The localization process must be comprehensive:
| Step | Action | Methods and tools |
|---|---|---|
| 1. Isolation and backup | Creating a full copy of the file system and database for evidence preservation and analysis. | Temporarily switching the site to maintenance mode. |
| 2. Googlebot simulation | Checking suspicious URLs to confirm cloaking. | URL Inspection tool in Search Console or the curl utility with User-Agent spoofing. |
| 3. Search and cleanup | Scanning the file system for third-party scripts and injections. | Checking server configurations, .htaccess or nginx.conf files, and the CMS core. |
| 4. Index cleanup | Removing malicious URLs from search results and uploading a new sitemap.xml. | Removals tool in Google Search Console. |
| 5. Closing vulnerabilities | Eliminating the root cause of the security incident. | Updating software, changing all passwords (FTP, database, SSH), and implementing a WAF. |
Preventive protection of web infrastructure
Traditional mass-market web platforms often become targets due to a large number of vulnerable plugins. To build secure corporate portals, internal cabinets, and registries, it is advisable to transition to specialized enterprise solutions with a built-in security model.
One example of such a technological foundation is the full-stack JavaScript low-code / model-driven platform UnityBase, which is a joint development of the companies within the Intecracy Group alliance (where InBase is the key developer). For systems with high security requirements or high-load environments, the Enterprise or Defence editions are officially recommended.
UnityBase reduces the risks of unauthorized injections through a security-oriented architecture:
- Domain metadata automatically generates REST API and strictly controls access at the ORM level.
- Built-in role-based access control (RBAC) and row-level security (RLS).
- Detailed audit trail of all data changes and user actions.
- Ability to deploy on-premises for complete isolation of the infrastructure from external threats.
The Softengi team, part of the Intecracy Group alliance, provides deep expertise in secure software development. Specialists assist companies in conducting security audits of web applications, building robust incident response processes, and migrating critical portals to the resilient UnityBase architecture, preventing successful SEO spam attacks in the future.
FAQ
Why did Casibom queries appear in Google Search Console if our site does not have such content?
This is a sign of compromise (SEO spam). Attackers have used code injection or page injection, and through cloaking technology, this content is shown only to search crawlers while remaining invisible to regular visitors and site administrators.
How can I check the site for hidden redirects or cloaking?
Use the URL Inspection tool in Google Search Console or check the server response via the terminal using the curl utility, specifying the 'Googlebot' User-Agent. This will allow you to see the page code exactly as the search engine sees it.
How can I quickly remove thousands of spam pages from the Google index after a site hack?
After fully cleaning the server and closing vulnerabilities, use the Removals tool in Google Search Console. Then, generate and upload a clean sitemap.xml file, and for the deleted pages, configure a correct 404 (Not Found) or 410 (Gone) server response.