Google and other search engines keep information flowing through the internet, returning billions of search results every day. Everyone uses search engines for work, research, and entertainment, creating a fertile hunting ground for cybercriminals.
SEO Poisoning is a growing trend that business owners need to be aware of. In addition to email phishing, cybercriminals can spread malware by luring unsuspecting web surfers to bogus websites that harbour malicious code. This article discusses how criminals use SEO Poisoning to drive traffic to their malicious sites and what you can do to protect yourself.
What Is SEO Poisoning?
SEO poisoning, also known as search engine poisoning or search poisoning, is an attack method that involves cybercriminals creating malicious websites and using several SEO tactics to make them rank highly in search results.
These ‘fake’ websites appear legitimate and often are near copies of existing sites and rank for search terms that significant numbers of people are looking for, such as phrases related to holidays, current events, breaking news, and viral videos.
How SEO Poisoning Works
As part of the SEO poisoning campaign, cybercriminals create multiple websites that contain content associated with hugely popular or trending topics. For example, in the weeks leading up to the festive holiday season, these attackers launch sites containing free templates for printable Christmas cards and recipes, plus gift ideas.
Malicious sites can make it to page #1 of the search results using some or all of the following four methods.
- Whitehat SEO tactics of writing original on-topic long content that readers (and search engines) will be attracted to.
- Blackhat SEO tactics include keyword stuffing, purchasing backlinks, cloaking, link schemes, and article spinning.
- Performing a ‘negative SEO’ attack on all legitimate sites currently ranking above them in an attempt to have those sites fall in the rankings.
- Pay the search engine company to display the malicious website on page #1.
These imposter websites have one sole purpose, to infect visitors with malware as the start of a ransomware attack or to gain access to sensitive information or bank details for data theft.
Another method is ‘scareware’, whereby the website visitor receives a warning message that their computer is infected with a virus. They receive a prompt to download an online antivirus app which is, of course, malware.
Why SEO Poisoning Works
Search engine security protocols recognise these malicious sites reasonably quickly. However, hackers simply move on to the next trending news story and generate a new site ready for further attacks. They employ automated systems that keep an eye on popular search terms. Armed with that information, they can manipulate Google search engine rankings to place their malicious site high within the search results.
How to Spot SEO Poisoning
Your staff should be trained to understand that they are likely to encounter an SEO poisoning attack when searching for a trending topic or current event, receiving plenty of news coverage.
If unfamiliar with a website, staff should approach it with caution. Any sites you encounter with pop-ups are a red flag, and avoid any websites with too many pop-ups or java because that is characteristic of a compromised site.
Furthermore, poisoned sites often redirect users to “scareware portals,” where visitors are bombarded with fake virus alerts that prompt them to install a malicious code impersonating an antivirus program. Your staff should be trained to recognise potentially unsafe sites and flag them to your IT department.
How Can SEO Poisoning Affect My Business?
SEO poisoning affects businesses in four potentially devastating ways.
1. Data Theft
A successful SEO poisoning attack can mean that dangerous malware is installed on one computer on your corporate network. From there, an attacker can gain access to that user’s login credentials and proprietary information. They may even be able to gain access to your network, compromising sensitive client information and other data.
2. Ransomware
It only takes one staff member to visit a malicious site and be infected with malware to instigate a full-blown ransomware attack. Ransomware has become the preferred method for cybercriminals to extort money from businesses. They do this by encrypting all business data and holding your company to ransom for its safe return.
3. SEO De-ranking
The third way SEO poisoning impacts your business is by lowering your official company website’s rankings in the major search engines. As these malicious sites rise in SERP, your rankings may fall, losing potential customers.
4. Poisonous Backlinks
To gain authority, these malicious sites may link to your company website. With multiple suspicious backlinks to your site, search engines will become suspicious, red flag and possibly penalise you by lowering your rankings or, worse, de-indexing your site altogether.
If your trained staff and IT team are aware of the signs of SEO poisoning, they can identify a problem as soon as it arises, thus minimising the damage to your business and reputation. For example, you may notice that your company’s search engine rankings are dropping, especially for keywords that should perform well.
Defending Against SEO Poisoning
Prevention is often better than cure. Here are some best practices that Securus Communications recommends for defending against SEO poisoning attacks.
1. Staff Security Awareness
To protect yourself and your employees from search poisoning attacks, be sure to keep the antivirus software on BYOD and office devices up to date. However, teaching staff how to avoid clicking any suspicious-looking links in the first place is best practice. Also, they must understand to never provide personal information if they are unsure about a site.
Be sure your employees know the dangers of visiting an unknown website. They should pay attention to the URL in search engine results and avoid any that seem suspicious.
Also, ensuring each employee has access to IT security training will significantly reduce the chances that your business will succumb to malware, ransomware, or data theft.
2. Web Safety, Anti-Malware & Anti-Virus
Ensure your IT teams maintain current end-user security solutions that filter malicious websites from a central point. One way to do this is to route all users through a secure web proxy. Using the latest anti-malware and antivirus services on email servers and user machines will also reduce your risk.
3. Website Security
Your IT teams should be sure your company website is free of web vulnerabilities. Applying the latest WordPress updates is a great start, plus installing firewall protection, anti-spam detection, and ensuring all plugins are updated is best practice. Securus Communications can help you make it harder for hackers to compromise your website.
While some attacks redirect visitors from your website to a malicious one, another risk involves the hackers inserting irrelevant meta tags and keywords into your site’s pages.
This gives the impression that your company engages in unethical blackhat SEO practices. As mentioned previously, that could prompt Google and other search engines to impose penalties. In the process, they downgrade your search page ranking and lower your search engine optimisation.
4. Report Unusual SEO Results
If you notice that a malicious site is attempting to compromise your SEO position, report it to the search engine to have the result removed. For example, you can raise a DMCA with Google so they can look into the site in question. Are you having trouble with a negative SEO attack? Securus can help.
SEO Poisoning in the News
A recent article from Hacker News brings to light a new SEO poisoning campaign that distributes Trojanized malware versions of popular software. Internet users visit what they believe are legitimate, well-known websites but are tricked into downloading BATLOADER malware.
The hackers use keywords like “free app installation” for productivity and software development apps. These keywords lure victims to a compromised site, where they may download malicious malware. Most of these victims are searching for specific apps like Visual Studio, TeamViewer, and Zoom or comparable free alternatives.
The installer may contain the legitimate software, but BATLOADER is bundled with it. The malware enters the user’s computer and proceeds to download next-stage executables that trigger a complex infection chain.
One of these executables is an altered version of a Microsoft Windows Component loaded with malicious VBScript. The result is that the VBScript code executes and triggers the next attack phase. Next, additional payloads like Cobalt Strike Beacon, Atera Agent, and Ursnif are delivered to perform remote reconnaissance and harvest credentials.
Conclusion
Due to our over-familiarity with search engines, most users don’t hesitate to click on search results for any given query. Thanks to SEO poisoning, we must all remain vigilant to potential threats whether we are browsing for personal or professional use.
Cybercriminals have figured out how to manipulate SEO tactics to serve their agendas, finding ways to push legitimate websites lower in the rankings and place themselves at the top.
When users click on an internal link or download some free software, they invite dangerous malware into your network. Companies need to be aware to protect their systems from attack and protect their company websites from becoming one of the sites damaged by imposters.
As always, proper anti-malware, antivirus, and web browsing protection go a long way to preventing an SEO poisoning attack, as does educating both yourself and your employees about the dangers of a search poisoning attack.
From anti-malware, anti-phishing, SEO poisoning, and 2FA to SASE and cloud-based air-gap immutable backup storage, Securus has a security solution to suit your requirement and budget. If you would like to discuss your network security requirements in more detail with one of our cyber security professionals, please don’t hesitate to get in touch.
Further Technology Articles
How Machine Learning can Enhance your Cybersecurity
Five Ways to Bring your Security Posture up to Speed
What you can do to lock down your weak links
