Cybersecurity blog header

What is SEO poisoning?

- Ciber 4 All Team

SEO poisoning is a malicious technique that combines social engineering tactics and knowledge with malware deployment

SEO poisoning is a malicious strategy in which social engineering techniques and malware are combined to commit fraud and attack companies

What is the first thing you do when you need information about any issue? You take your mobile or laptop, go to your trusted search engine (Google, Bing, etc.), and it will offer you a list of web pages that can answer your questions.

Search engine algorithms classify all websites according to a series of parameters. Search engine optimization (SEO) specialists adapt pages to the algorithms’ characteristics. These professionals are critical to ensuring that when a person searches for “red party dress,” the website of a certain company comes up in the first position.

But… can SEO be used for spurious purposes? That is precisely what SEO poisoning is all about.

As in many other cases, this type of cyberattack combines social engineering techniques to deceive users with the deployment of malware to spy, steal confidential information or obtain credentials to access sensitive applications such as victims’ bank accounts.

Below, we will explain the keys to SEO poisoning and how to prevent this technique from being used to attack companies and citizens.

1. The 5 phases of SEO poisoning

Criminal groups that opt for SEO poisoning need to combine knowledge of SEO, especially Black Hat SEO tactics, with social engineering tactics and the ability to develop and execute malware. What are the phases of an SEO poisoning attack?

1.1. Defining the keyword and the target

First, a web page is created, including classic SEO tactics such as setting keywords that are consulted by the target group of users.

SEO poisoning allows malicious actors great freedom in defining their potential victims. Why? Although there are generic searches, most searches are performed by specific groups.

For example, a portal that positions the term webmail associated with a company can be a vector of infection and impersonation targeting the company’s employees, allowing credentials to be stolen and targeted attacks to be launched.

A model confidentiality contract will not be sought by a professional working in a clothing store but by businessmen or professionals in the legal departments of companies. If the target is people who invest in cryptocurrencies, you can design a page focused on a search related to this matter.

This is essential, especially when you want to attack companies in specific economic sectors to commit fraud, collect information or obtain credentials to access critical applications.

1.2. Black Hat SEO actions

Next, malicious actors implement Black Hat SEO actions, i.e. a series of traps to trick algorithms and get a page to rank high in search engines, such as including hidden text, creating an artificial link network, using botnets to increase traffic to a page or abusing keyword usage.

In recent years, companies such as Google have implemented specific controls to detect Black Hat SEO tactics and punish them by excluding pages where they are used. However, in the short term, these controls can yield good results, which is why they are helpful for criminals.

1.3. Typosquatting

The URL of the fake page completes the design of an SEO poisoning campaign. Criminals use the typosquatting technique. That is, they create a URL virtually identical to that of a legitimate page that the user knows or can trust but introduces a minor alteration that goes unnoticed by the naked eye. In this way, the user will click without fear because he will believe he is accessing actual website.

Suppose the malicious actors have implemented a successful SEO poisoning strategy. In that case, the fake page will appear at the top of the rankings, and as the URL will be almost identical to that of the legitimate download site, the victim will likely click on it.

1.4. Aesthetic cloning

Alongside typosquatting, another critical SEO poisoning activity is also based on constructing a semblance of reality: the malicious pages’ design.

In many cases, criminals clone actual pages so that victims do not realize they are on fake sites. Thus, it is common for the aesthetics and contents of well-known e-commerce sites to be replicated.

In this regard, the advent of generative AI has made it easier for hostile actors who want to use SEO poisoning. It allows them to create realistic web pages with well-written texts without spending a great deal of talent and time on them.

1.5. Manipulating users into taking an action

What is the last step of the SEO poisoning technique? Inducing the victim to perform a specific action:

  • Downloading a malware-infected document, believing it to be the document they are looking for or a file to install a legitimate program that serves to install malware.
  • Entering personal data such as name, surname, email, telephone number and even identification documents such as ID cards.
  • Making a payment to purchase a product that is supposedly sold on a fake e-commerce site.

SEO poisoning resorts to tactics such as Black Hat SEO

2. Objectives of SEO poisoning

The operation of SEO poisoning allows us to glimpse that this criminal technique can affect:

  • Users who perform searches through Google, Bing or any other search engine.
  • Companies whose professionals unwittingly download malware on their corporate computers or provide access credentials to programs for professional use.
  • Organizations whose identity is spoofed to deceive victims.

What are the malicious actors who opt for SEO poisoning looking for?

  • To deploy different types of malware. This is the quintessential target of SEO poisoning. Through fraudulently positioned malicious websites, criminals can inject multiple types of malware on victims’ computers: Trojans, spyware, ransomware… Thanks to them, they can spy on their victims, hijack companies’ customer data, obtain critical information, break into bank accounts, drain cryptocurrency wallets…
  • Steal credentials to access applications. If the malicious page pretends to be a legitimate web application the user uses, it is possible to get them to provide their access credentials.
  • Committing financial fraud, getting the user to make payments or obtaining critical information to carry out future attacks.
  • Companies whose identities are impersonated suffer damage to their reputations in the eyes of users affected by SEO poisoning.

3. Perfecting SEO poisoning

Although the major search engines have security controls in place to prevent users from being shown malicious results, criminal groups have been perfecting the technique of SEO poisoning to evade these controls, trick users and defeat companies’ defensive systems.

After all, as we have pointed out before, the history of cybersecurity is based on criminals’ continuous development of new techniques, tactics and procedures (TTPs) and on cybersecurity experts’ efforts to detect them, understand them and implement the necessary mechanisms to render them ineffective.

3.1. Corporate documents, cutting-edge malware and fake forums

Last year, a campaign launched by a criminal group with a long history of developing and running malware – Gootloader – became public. The criminals resorted to SEO poisoning to infect corporate networks using a more sophisticated variant of their malware: Gootbot. The operation was as follows:

  1. They created a fake forum to attract people looking for corporate document templates. Using the tactics we saw earlier, they managed to get the forum to appear in the top results when searching for keywords such as “Implied Employment Agreement”.
  2. Victims accessed the forum to download the file they wanted; however, in doing so, they executed the Gootloader malware on their computers.
  3. This malware spread throughout the network, facilitating the lateral movement of malicious actors, going unnoticed by antivirus scanners and allowing multiple systems to be attacked.

3.2. Taking over an obsolete CMS to exploit legitimate domains

At the beginning of 2024, a new SEO poisoning campaign was detected that goes a step beyond the usual practices of criminals. Why? The malicious actors behind this campaign did not impersonate companies and institutions through typosquatting or page cloning but used FCKeditor, a CMS component deprecated since 2010, to:

  • Perform redirects to fraudulent pages.
  • Create pages within legitimate domains of organizations that once used this editor, get them to rank in search engines and redirect them to malicious URLs.

Through this SEO poisoning strategy, the criminals have overcome the security controls that search engines have implemented to combat these criminal practices.

MIT and Columbia University, two of the world’s most prestigious educational and research centres, and the University of Barcelona, one of Spain’s leading universities, are among the organizations affected.

If these institutions had not been using obsolete software for almost five decades, the criminals would not have been able to successfully implement this SEO poisoning campaign.

Cyber intelligence is essential to fight sophisticated cyberattacks

4. Cybersecurity antidotes to SEO poisoning

How can SEO poisoning be combated? Cyber intelligence and cybersecurity services are essential to detect fake pages that impersonate companies, train and raise awareness among professionals to prevent social engineering attacks and have the tools to respond effectively to a malware attack. What services are we talking about?

  • Cyber intelligence services to maintain continuous digital surveillance and prevent online fraud and hacking. To detect and combat phishing campaigns and websites that impersonate corporate identities and brands.
  • Social engineering tests assess the level of maturity of a company and its professionals against attacks using social engineering while helping to train and raise awareness among all organization members to prevent fraud and theft of critical information.
  • Incident response: What happens if the SEO poisoning strategy is successful and cybercriminals manage to deploy malware on a corporate network or obtain access credentials or information to launch other attacks? Organizations must have teams ready to respond to an attack in less than 1 hour. This will enable them to quickly identify the scope of the compromise, contain the attack, expel the malicious actor and restore normality in the shortest possible time and in a secure manner to minimize the consequences of the incident.

In short, SEO poisoning is a malicious strategy that allows criminals to find an entry vector to attack companies and citizens, combining social engineering techniques with malware. All this, taking advantage of one of our most internalized daily habits: searching for the information, products and documents we need through search engines.