SEO poisoning

While email attachments are the most common vector for threat actors to compromise target computers, a method known as SEO poisoning is becoming an increasingly popular targeting method.

What is SEO?

SEO stands for “search engine optimization.” In its most basic form, it is how you create and populate a website so that it appears on the first page or so of search engine results. More visibility provides an edge for businesses, which is why SEO is a multi-billion dollar industry with countless methodologies. 

Threat actors often use two of the more basic SEO techniques: keyword stuffing and cloaking.

Keyword Stuffing

One of the primary things search engines aggregate when analyzing a website is the keywords that appear in text published on that site. 

When Google finds a site that includes the phrase “Pizza in Venice Beach, CA,” it will be more likely to display that site before one that just says “Venice Beach” or “Pizza” when someone looks online for pizza in that area. Keyword stuffing takes this practice to the extreme. A keyword-stuffing page will be loaded with search terms. But while most search engines penalize web pages for keyword stuffing, the practice can boost website traffic temporarily, which is all a scammer needs.

By loading a page with likely time-specific search terms, e.g. “how can I stream the World Series” or “best turkey recipes” threat actors can funnel users to a malware-infected website or directly to a file containing malware. More sophisticated campaigns use keywords to target specific groups or occupations: If the goal is to compromise a company using Microsoft-based products, using search terms relating to specific programs, such as “how do I create a macro in Excel” can help home in on victims.

Cloaking

Cloaking is the practice of hiding a website’s “true” address. While this has valid applications (shortening a website URL or having multiple domain names for a legitimate site), it can also be used in SEO poisoning to make malicious pages or files harder to detect.

Search engines compile information from websites by using programs called bots to read and analyze websites, both for their code as well as their content. Google and Bing bots leave a fingerprint when they visit a site that distinguishes them from human visitors. 

A common technique in SEO poisoning is to configure a website to provide a “clean” page for search engine bots and a compromised page for visitors, or to redirect the search engine bots to a different site entirely. 

To make a poisoned page even harder to detect, threat actors sometimes only send a small percentage of visitors to a page containing malware. If a legitimate website is compromised, but only directs every hundredth visitor to a page containing malware, it will likely avoid detection for a longer stretch of time.

Takeaways

The most effective vector for threat actors distributing malware is bad cyberhygiene. Email attachments from familiar accounts, text messages and QR codes work because we communicate that way and they are part of our digital landscape. Ditto SEO poisoning. 

Most of us assume the top results for a search are well-vetted and thus secure. First of all, the top slot can be purchased. But secondly, by exploiting the algorithms used by search engines or by injecting malicious code into a legit website, threat actors can deploy SEO poisoning to launch a wide range of hacking activity including ransomware and credential theft.

While there’s no one silver bullet for defending against this tactic, a few steps of precaution can help:

  • Keep in mind that nothing online is 100% safe: Websites, search engines, email accounts and app stores can all be compromised to spread malware.  
  • Install security software on your devices and keep them updated. 
  • If you maintain a website, be sure to update all software that runs on it. Outdated plugins and extensions are commonly used to inject malicious code and/or malware. 
  • Check the URL of any websites you are navigating to before clicking. Websites that look legitimate but have long addresses, especially those hosted in other countries, can be cloned or cloaked.  
  • Be suspicious of any web page that automatically redirects you to another site after you click on a search result.