Menu

Technology

EXCLUSIVE: Online reputation manager hacked websites to 'inject' illegal code

online reputation mgmt on Google.JPG

Worried about your online reputation? Watch out: The fix could be worse than the problem.

Online reputation management (ORM) has become a burgeoning business as individuals and companies alike seek ways to hide negative or damaging statements about them from the Web.

But let the buyer beware: The company that helps protect your reputation may have its own reputation issues.

Consider the case of Darren Meade, who in 2010 was working as interim CEO at a California-based company. In an effort to address a number of negative comments (about both himself and his company) posted online, his company hired Rexxfield, an ORM, also based in California.

But Meade said he became increasingly concerned about the relationship with Rexxfield when he discovered the company wanted to sell illegal hacker code to scrub negative comments from the web -- and planned a marketing campaign of fear based on the threat that it can wipe anyone offline.

“They called it Googlecide,” Meade, now an entrepreneur, told FoxNews.com.

ORM companies normally monitor search results from engines like Google or Bing and try to “push” down negative pages about their clients, so they’re seen by fewer people. Common techniques are heavy promotion of positive content or formal requests that websites take down negative or libelous content.

But Meade said Rexxfield owner and operator Michael Roberts was preparing to purchase a coding hack he called “injection source code” that lets the user manipulate the metadata behind a website, adding a “noindex" tag that drops the results on search engines like Google and Bing -- hiding them completely.

Meade said Roberts showed him the code injector’s effectiveness by hacking into Ripoff Report, a complaint board site.

“He told me, ‘watch what happens’ -- and sure enough, the results dropped,” Meade told FoxNews.com. “They were able to edit out anyone.”

Roberts has denied those charges, and told FoxNews.com he merely took notes when someone tried to sell the illegal code to him on a conference call. He insisted he never planned to buy it.

“He is lying,” Roberts said of Meade.

In an audiotape obtained by FoxNews.com of a meeting that included Roberts, Meade and others, those present are heard discussing a public relations fear campaign that would help them sell their services to worried parents.

“I would love to run an underground campaign that says, ‘Google is trying to destroy your reputation,’” an executive on the call is heard saying. “I like the idea of, ‘the more popular you are, the more dangerous it is,’ and giving people the scare tactic of, ‘the more exposure you have … the faster it is for your enemies to attack you.’”

“I think there’s a whole other campaign where we can break the parents,” the executive continued. “Send them a picture of their kid with a gun in his mouth -- Google did it. ‘Little Johnny is going to commit Google-cide. Can you stop it?’”

Roberts, Rexxfield’s owner, responded with this statement to FoxNews.com on Friday afternoon: "We categorically deny the assertions by the article's author regarding the use of illegal and/or unethical means in combating attacks against the reputation of our clients."

Whatever the marketing techniques involved, the use of “injection source code” to promote such techniques is patently illegal, said Ira Victor, a forensics expert with Nevada-based Data Clone Labs, referring to the Computer Fraud and Abuse Act (18 USC 1030).

“You cannot use this technique without breaking the law,” Victor told FoxNews.com. “It most certainly raises the level of computer fraud and abuse.”

“To add the ‘noindex’ tag,” he said, “you would need to break into a website ... but if they can break into a server, what’s to stop them from just deleting all the data?”

Many sites, like Ripoff Report, lack the proper security methods to prevent the “injection source code” technique, Victor said.

“There are a tremendous amount of websites that are on the Internet with a tremendous amount of vulnerabilities,” he said. “It can be as simple as changing around a few letters in the URL.”

And that, says Jason Stern, a New York-based attorney who specializes in Internet issues, is against the law.

"You can't inject code into anyone's system without their knowledge," Stern said. "It constitutes trespassing. If you leave your car unlocked, it doesn't mean I can take your car. The law is the same for a website, even if there is weak security."

A statute in California penal law, he said, further states that no one is allowed to transmit, destroy or alter another person's website without their knowledge.

Sources told Foxnews.com the case caught the attention of the attorney general’s office in Arizona, where RipoffReport is based. A spokesman at the attorney general’s office told FoxNews.com it could not comment on whether or not there is an ongoing investigation.

Roberts, Meade and others have also said the code injector can be used to access the metadata on sites like Blogger, Yahoo, Bing and even Google.

Sources at Google told FoxNews.com that developers at the site have not encountered any issues from such hacks. The search giant takes a strong stance against online reputation management in general.

"While there is nothing in our guidelines that explicitly forbids reputation management, if we uncover link schemes or other violations, we reserve the right to take action in response," a Google spokeswoman told FoxNews.com.