Cyberattacks 101: SEO Poisoning

Search Engine Optimization (SEO) is a common term used by digital marketers and is a technique used by many organizations to generate clicks on digital content, drive website traffic, and more. While SEO efforts and techniques vary – and can be paid or unpaid – the goal for marketers remains the same: to expand visibility by targeting online users through search engines.

Just as legitimate marketers can use SEO techniques, cybercriminals can, too. Cybercriminals will stop at nothing to get what they want, and there is an emerging tactic called SEO poisoning that organizations – and their marketing departments – must be aware of moving forward. Let’s explore the basics.

How can marketers achieve a good SEO ranking?

Before we discuss how cybercriminals use SEO to gain access to valuable data, we need to understand more about how SEO works. When a marketer optimizes their content or website for SEO purposes, they’re essentially feeding search engines – like Google and Bing – crawlable information through keywords on the organization’s website pages. Search engines use this information to give the organization a ranking and then displays the websites in order of that ranking. If an organization can dial in their SEO accurately, they are more likely be ranked near the top of the search results.

For example, if you work for a municipality and are looking for new software solutions and type in “Tyler Technologies” in Google, it will come up first on the search results list if the SEO is done right. Other competitors will hopefully be further down the list.

What are these SEO poisoning groups trying to do?

We can break this down into two categories:

• Hackers are trying to trick users into visiting the malicious site. Criminals want to drive traffic to their malicious sites for many nefarious reasons, including stealing personal information, spreading disinformation, or installing malware. They are often used as a delivery platform for drive-by downloads.
   
• They are trying to damage legitimate website reputations. SEO poisoning groups will do this to increase the traffic to their malicious site. Hackers know that if they’re trying to impersonate a legitimate source, it will be hard to do if that legitimate source is still the top hit on Google. Therefore, it’s easier for the hacker to get rid of their competition by reducing trust in the other business. They do this by convincing the victims they were hacked by visiting their rival’s (i.e., the legitimate source) website.

Cyberthreat Hunting Guide | Protect Your Network

Take a proactive stance against cybercriminals and learn how to hunt potentially malicious network behavior in our complimentary white paper. Download our Cyberthreat Hunting Guide to discover how threat hunting can improve your security posture.

What are some common SEO poisoning tactics?

Let’s look at how hackers can pull off this type of attack. The most intuitive of the different poisoning techniques is called keyword packing. Hackers will fill up their malicious site with hundreds of keywords that can be picked up by search engines to push the site to the top of the list. They will use any words they can – to target anyone they can – to make their site look like it has information about many different topics. By having these keywords bundled together, it can look like a well-informed site to the search engine bots that crawl websites to determine the SEO ranking.

Another tactic is to use fake traffic, where the hacker makes one website look more popular than it really is. Since search engines prioritize websites with more views over those that have fewer views, attackers will try to generate fake traffic to their malicious website so they can eventually rank higher in the search results. If a malicious website suddenly gets thousands of views, it will bump them up in the ranking, giving them a higher chance of compromising unsuspecting victims.

Finally, SEO poisoning groups will try to duplicate a website so they can mimic it and lure the victim to click that one instead of the real one. This is malicious because search engines typically only show one organic version one paid version of a website in their results. Hackers will try to mimic websites with the goal of knocking the real ones further down on the Google search results list, thus tricking victims to click on the fake one instead.

How can you defend against an SEO poisoning attack?

Like a lot of other defenses, do not visit unfamiliar websites. This is particularly important to remember. Being the top hit on a search engine does not always mean a website is safe. You can't just trust the first page of Google is going to give you good, safe information. Use your instincts and always hover over the link to see the whole URL before clicking on it.

If you do find yourself unexpectedly redirected or you click on a link and find you’re rapidly switching through five different pages, it’s good indication you should leave the final destination or just close the browser.

Always make sure your browser is updated to the latest security settings. Additionally, be sure to have antivirus software installed on your device so if you do end up on a compromised site or get hit with a drive-by download, your antivirus will catch it and prevent you from being harmed.

Finally, if you are a website owner, make sure you have secured the website as best you can and require multi-factor authentication (MFA) for privileged users.

By practicing safe browsing and implementing necessary technical controls, you will minimize you and your organization’s chances of getting compromised by an SEO poisoning attack.