Blog

What is SEO Poisoning (AKA Google Hijacking?)

Cyber-criminals are constantly coming up with new social engineering tactics to exploit human victims and technical approaches to exploit computer systems. In many cases, cyber-attacks utilize both. Although a cyber-attack may compromise known or zero-day vulnerabilities in an organization's public-facing attack surface to gain initial access, the required step of gaining an initial foothold on a target network can also be achieved by tricking a victim into infecting themselves.  Therefore, attackers have come up with a wide array of methods for doing just that - getting potential victims to execute files on the attacker's behalf.

One creative method employed by attackers is SEO poisoning and in 2023, threat researchers have reported a significant increase in SEO poisoning attacks [1][2]. Let's investigate this emerging initial access tactic and review its various forms.

The Definition of SEO Poisoning (AKA Google Hijacking)

Many people who work in tech and internet-related businesses know what Search Engine Optimization (SEO) is. SEO is the practice of configuring your business's website to gain a high rank in Google and other search engines in order to appear near the top of a search query for a particular topic. SEO poisoning, (aka Google Hijacking), is a tactic used by cyber criminals to leverage high search engine rankings to direct users to malicious or fraudulent websites allowing them to directly distribute malware such as Trojanized apps and documents or conduct phishing attacks to harvest credentials. SEO poisoning also threatens to tarnish a brand's reputation as attackers seek to leverage spoofed legitimate and popular brands for impact.

Many major threat actors have used SEO hijacking to distribute malware or conduct other malicious activities including the ransomware gang REvil, EITest, and the longstanding and notorious TA505.

How do threat actors leverage SEO poisoning in cyber-attacks? 

  • Link Farms: Attackers create a network of websites that link to the malicious website in order to increase its search engine ranking. Attackers may place these links in various other websites such as pirate video streaming sites as "pop-ups" forcing visitors to the site and unknowingly boosting its search engine rank. 

  • Malicious Google Ads: Attackers create ads that appear at the top of search engine results and lead users to malicious websites. Rouge ads are often designed to look like legitimate ads, making them difficult for users to distinguish from real ones. This increases traffic to the malicious site and boosts its search profile.

  • Hacking Existing Websites: Attackers can leverage a popular site's existing SEO success by compromising a website and modifying its links and content to deliver malware, attempt browser exploitation attacks, and try to phish credentials out of the website's visitors.

  • Keyword Stuffing: Attackers insert a large number of keywords or phrases into the content of a website in order to increase its relevance for a particular search query.  If a particular keyword is trending, but there isn't much existing content on the Internet, this can easily give their malicious page a dominant search position and allow them to phish and entice visitors with embedded ads and malicious malware files and links.

  • Cloaking: Attackers use different versions of a website for search engine crawlers and users. The version for search engine crawlers contains different content or links than the version for users, which can manipulate search engine rankings.  Google may think this site delivers great content about baking chocolate chip cookies, but for visitors, it may socially engineer them to believe their computer has been hacked and offer them malicious tools to scan it.

  • Black Hat SEO: Attackers use unethical search engines optimization techniques, such as link buying or spamming, to increase the search engine ranking of a malicious website. Unethical SEO generation groups will use botnets of infected computers, and their own server farms to access a website and falsely make it appear to be popular.

Defending Against SEO Poisoning Attacks

To avoid SEO poisoning attacks, organizations can take a few defensive approaches.  Here are some defensive tactics for mitigating the risk of SEO attacks:

  • Keeping cybersecurity products up to date: Advanced cybersecurity products such as anti-virus, anti-spam, and EDR/XDR can block known malicious sites and content using the latest threat intelligence. It's critical to keep them updated so they can scan for the most recent threats in real time. These advanced security products can detect malicious sites as the user browses the Internet and be both configured to notify or block sites that are on known blacklists and warn that a site's content seems suspicious.

  • User awareness training: An organization's staff are part of its cybersecurity frontline.  It's important that staff are made aware of the risks that a malicious website can pose.  For example, most organizations want their employees to find new ways to be productive, but staff should also be aware that attackers will take advantage of this keen interest and try to deliver malware in products that seem to be beneficial.  Its also essential that all staff who use the internet know the fundamentals of how to identify a domain's origin in order to distinguish between a spoofed and legitimate version of a website or email.

  • Keeping browsers up to date: Keeping web browsers and other software up to date can help prevent attackers from exploiting vulnerabilities in the browser. This will help mitigate the chances of a malicious website being able to compromise your browser and gain an initial foothold on your computer if you happen to click on an SEO-poisoning link.

Conclusion

In 2023, SEO poisoning attacks are on the rise. This attack tactic involves manipulating search engine results to direct users to malicious or fraudulent websites, allowing attackers to distribute malware or conduct phishing attacks.

Threat actors use a wide array of tactics to execute SEO poisoning attacks, and organizations must take precautions to both reduce the chances of visiting these malicious web destinations and preparing their endpoints by keeping cybersecurity products up to date, providing user awareness training, and keeping web browsers and other software up to date.

Ready to take your ransomware protection to the next level? Learn more about ransomware penetration testing today, or download our free Buyer's Guide below.

Featured Posts

See All

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

September 26 - Blog

Blackwood APT Uses AiTM Attacks to Target Software Updates

Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.

August 15 - Blog

Packetlabs at Info-Tech LIVE 2024

It's official: Packetlabs is a partner and attendee of Info-Tech LIVE 2024 in Las Vegas. Learn more about event dates and registration today.