Search engine optimization (SEO) poisoning has been around for as long as internet users have been using search engines. The attack, which is making a bit of a comeback recently, involves manipulating search engine results to drive users from legitimate websites to sites that serve up malware, identity theft tools and even fake news.

In recent weeks, cybersecurity vendor Zscaler has reported an uptick of SEO poisoning attacks. About 10,000 such websites targeted searches about November’s U.S. midterm elections.

Same Scheme, Different Name

Attackers used various techniques to trick search engines into elevating webpages that serve up pornography, advertising, and political or religious content, the Zscaler researchers reported.

“SEO poisoning is a new term for a very old problem: People trying to get you to go to their webpage rather than what you really want,” said Ty Belknap, a network engineer and author of “Timeless SEO Secrets.” “It’s been around almost as long as websites have, and search engines still have difficulty stopping it.”

The technique is most effective during special events like the Olympics, World Cup or an upcoming election, added Joseph Carson, chief security scientist at cybersecurity vendor Thycotic. During natural disasters, he said, criminals often use SEO poisoning methods to trick people into sending aid to them instead of victims.

“SEO poisoning is typically time-based, so it has a limited set of time that the malicious content would be available on the top of the search results,” Carson explained. “The technique of using SEO poisoning is very concerning as most people trust the search results from Google and have an expectation that when something appears on the top page of the search results, it is assumed that is has been vetted and is authentic.”

How Does SEO Poisoning Work?

Attackers use various techniques to move their pages up in search engine rankings. In some cases, attackers flood their websites with keywords, although most search engines have gotten wise to this technique.

In other scenarios, attackers use so-called cloaking techniques to deliver different web content to a user than it does to a search engine spider. Yet another method involves building layers of websites that link to each other in an effort to trick search engines into ranking them higher.

Malware distribution and information theft are the top goals of SEO poisoning, so attacks can create problems for both individual internet users and corporate networks. According to Carson, this tactic is frequently used to compromise companies’ sensitive information.

“It is a common method using SEO poisoning to steal employee credentials so the cybercriminal can abuse that information to gain access bypassing a company’s existing security controls,” he explained.

Such an attack can also damage a business’ brand reputation if customers end up at a poisoned site instead of the real one.

“If they have been a victim of SEO poisoning,” Carson posited, “then how can customers trust the service in the future if they have no confidence that they are on the company’s actual legitimate website?”

Why Users Must Stay Vigilant

Users can protect themselves by using an up-to-date browser that warns them if they try to access insecure websites. Google, in particular, has pushed legitimate websites to use Hypertext Transfer Protocol Secure (HTTPS), the secure form of Hypertext Transfer Protocol (HTTP), and has begun warning users when they surf to insecure sites.

Internet users and organizations should also install antivirus tools that warn them of sites serving up bad code. In addition, users should pay special attention to the URLs of the websites they see in all search results. If a website serves up a pop-up asking you to opt into something, read it carefully before taking action.

SEO poisoning can bloom from a trending event more quickly than watchdogs can track individual cases. This can make it difficult to stay informed, but users can mitigate the risks before they reach their networks by remaining vigilant while browsing and regularly updating security software.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today