Search engine optimization (SEO) poisoning has been around for as long as internet users have been using search engines. The attack, which is making a bit of a comeback recently, involves manipulating search engine results to drive users from legitimate websites to sites that serve up malware, identity theft tools and even fake news.

In recent weeks, cybersecurity vendor Zscaler has reported an uptick of SEO poisoning attacks. About 10,000 such websites targeted searches about November’s U.S. midterm elections.

Same Scheme, Different Name

Attackers used various techniques to trick search engines into elevating webpages that serve up pornography, advertising, and political or religious content, the Zscaler researchers reported.

“SEO poisoning is a new term for a very old problem: People trying to get you to go to their webpage rather than what you really want,” said Ty Belknap, a network engineer and author of “Timeless SEO Secrets.” “It’s been around almost as long as websites have, and search engines still have difficulty stopping it.”

The technique is most effective during special events like the Olympics, World Cup or an upcoming election, added Joseph Carson, chief security scientist at cybersecurity vendor Thycotic. During natural disasters, he said, criminals often use SEO poisoning methods to trick people into sending aid to them instead of victims.

“SEO poisoning is typically time-based, so it has a limited set of time that the malicious content would be available on the top of the search results,” Carson explained. “The technique of using SEO poisoning is very concerning as most people trust the search results from Google and have an expectation that when something appears on the top page of the search results, it is assumed that is has been vetted and is authentic.”

How Does SEO Poisoning Work?

Attackers use various techniques to move their pages up in search engine rankings. In some cases, attackers flood their websites with keywords, although most search engines have gotten wise to this technique.

In other scenarios, attackers use so-called cloaking techniques to deliver different web content to a user than it does to a search engine spider. Yet another method involves building layers of websites that link to each other in an effort to trick search engines into ranking them higher.

Malware distribution and information theft are the top goals of SEO poisoning, so attacks can create problems for both individual internet users and corporate networks. According to Carson, this tactic is frequently used to compromise companies’ sensitive information.

“It is a common method using SEO poisoning to steal employee credentials so the cybercriminal can abuse that information to gain access bypassing a company’s existing security controls,” he explained.

Such an attack can also damage a business’ brand reputation if customers end up at a poisoned site instead of the real one.

“If they have been a victim of SEO poisoning,” Carson posited, “then how can customers trust the service in the future if they have no confidence that they are on the company’s actual legitimate website?”

Why Users Must Stay Vigilant

Users can protect themselves by using an up-to-date browser that warns them if they try to access insecure websites. Google, in particular, has pushed legitimate websites to use Hypertext Transfer Protocol Secure (HTTPS), the secure form of Hypertext Transfer Protocol (HTTP), and has begun warning users when they surf to insecure sites.

Internet users and organizations should also install antivirus tools that warn them of sites serving up bad code. In addition, users should pay special attention to the URLs of the websites they see in all search results. If a website serves up a pop-up asking you to opt into something, read it carefully before taking action.

SEO poisoning can bloom from a trending event more quickly than watchdogs can track individual cases. This can make it difficult to stay informed, but users can mitigate the risks before they reach their networks by remaining vigilant while browsing and regularly updating security software.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…