SEO poisoning, also known as search poisoning, is a method used by cybercriminals to manipulate search engine results in order to spread malware or gather sensitive information from unsuspecting users. This malicious technique involves creating fake websites and using search engine optimization (SEO) techniques to make them appear prominently in search results, often as ads at the top.
The main objective of SEO poisoning is to trick users into downloading malware onto their systems. For example, users might click on a link that appears to be a legitimate download page for a familiar app. However, when they visit the website, they are prompted to download a malicious file instead of the actual application. Once the malware is installed, it can record keystrokes, take control of the user’s computer, or spread to other devices on the network, putting the user and their company at risk of ransomware attacks, compromised data, and other cyber threats.
Another goal of SEO poisoning is to collect sensitive information from users, such as credit card numbers, login credentials, or personally identifiable information (PII). Cybercriminals can create websites that mimic popular online stores or other legitimate platforms, prompting users to enter their personal information. This information is then sold to the highest bidder on the dark web.
Not all malicious websites created for SEO poisoning attempt to replicate credible sites. Some sites are designed solely to host content that is likely to be searched for by a large number of people. These websites may include phrases related to news items, viral videos, or popular trends. The content on these websites might be irrelevant or stolen from valid sites. The sole purpose of these websites is to infect visitors with malware or fraudulently access their sensitive information.
An example of SEO poisoning is the SolarMarker malware, which was distributed through fake SEO-focused topics in Google Groups. Discovered in late 2020, this malware was embedded in websites that appeared at the top of Google search results due to the threat actors’ SEO poisoning techniques. The malware aimed to trick victims into downloading a fake Windows installer, which actually ran a PowerShell script to infect their systems.
The prevalence of SEO poisoning attacks has been rising over the past few years. Security firm SentinelOne reported an increase in attacks in 2023, with threat actors targeting popular downloads associated with organizations that lack extensive internal brand protection resources. One example highlighted by the company was an ongoing SEO poisoning campaign associated with the Blender 3D graphics app. The attackers used SEO poisoning to manipulate search results and promote malicious websites through rogue ads.
GootLoader malware was another threat that used SEO poisoning to spread malware through fraudulent websites. In February 2023, Cybereason issued an alert about this malware, which relied on JavaScript to infect users’ systems when they visited the malicious websites through search engine ads or direct links.
SEO poisoning has also been a growing concern in the healthcare industry. BlackBerry’s “Global Threat Intelligence Report” published in April 2023 highlighted an increase in SEO poisoning attacks, particularly targeting healthcare organizations. The report predicted that SEO poisoning would continue to grow in prevalence.
In June 2023, the Health Sector Cybersecurity Coordination Center (HC3) of the U.S. Department of Health and Human Services (HHS) issued an analyst note warning about the rising use of SEO poisoning against the healthcare and public health sector. The note mentioned the use of unethical hacker SEO techniques, such as cloaking, keyword stuffing, search ranking manipulation, and private link networks. These tactics are combined with typosquatting, which involves setting up domains with names similar to common misspellings of popular websites to redirect users to malicious sites.
To protect themselves from SEO poisoning attacks, users are advised to keep their browsers and antivirus software up to date, avoid clicking on suspicious links, and only provide personal information on secure and valid websites. It is important to stay cautious and vigilant while browsing the internet to avoid falling victim to these malicious techniques.