Search engine optimization (SEO) poisoning has been around for as long as internet users have been using search engines. The attack, which is making a bit of a comeback recently, involves manipulating search engine results to drive users from legitimate websites to sites that serve up malware, identity theft tools and even fake news.

In recent weeks, cybersecurity vendor Zscaler has reported an uptick of SEO poisoning attacks. About 10,000 such websites targeted searches about November’s U.S. midterm elections.

Same Scheme, Different Name

Attackers used various techniques to trick search engines into elevating webpages that serve up pornography, advertising, and political or religious content, the Zscaler researchers reported.

“SEO poisoning is a new term for a very old problem: People trying to get you to go to their webpage rather than what you really want,” said Ty Belknap, a network engineer and author of “Timeless SEO Secrets.” “It’s been around almost as long as websites have, and search engines still have difficulty stopping it.”

The technique is most effective during special events like the Olympics, World Cup or an upcoming election, added Joseph Carson, chief security scientist at cybersecurity vendor Thycotic. During natural disasters, he said, criminals often use SEO poisoning methods to trick people into sending aid to them instead of victims.

“SEO poisoning is typically time-based, so it has a limited set of time that the malicious content would be available on the top of the search results,” Carson explained. “The technique of using SEO poisoning is very concerning as most people trust the search results from Google and have an expectation that when something appears on the top page of the search results, it is assumed that is has been vetted and is authentic.”

How Does SEO Poisoning Work?

Attackers use various techniques to move their pages up in search engine rankings. In some cases, attackers flood their websites with keywords, although most search engines have gotten wise to this technique.

In other scenarios, attackers use so-called cloaking techniques to deliver different web content to a user than it does to a search engine spider. Yet another method involves building layers of websites that link to each other in an effort to trick search engines into ranking them higher.

Malware distribution and information theft are the top goals of SEO poisoning, so attacks can create problems for both individual internet users and corporate networks. According to Carson, this tactic is frequently used to compromise companies’ sensitive information.

“It is a common method using SEO poisoning to steal employee credentials so the cybercriminal can abuse that information to gain access bypassing a company’s existing security controls,” he explained.

Such an attack can also damage a business’ brand reputation if customers end up at a poisoned site instead of the real one.

“If they have been a victim of SEO poisoning,” Carson posited, “then how can customers trust the service in the future if they have no confidence that they are on the company’s actual legitimate website?”

Why Users Must Stay Vigilant

Users can protect themselves by using an up-to-date browser that warns them if they try to access insecure websites. Google, in particular, has pushed legitimate websites to use Hypertext Transfer Protocol Secure (HTTPS), the secure form of Hypertext Transfer Protocol (HTTP), and has begun warning users when they surf to insecure sites.

Internet users and organizations should also install antivirus tools that warn them of sites serving up bad code. In addition, users should pay special attention to the URLs of the websites they see in all search results. If a website serves up a pop-up asking you to opt into something, read it carefully before taking action.

SEO poisoning can bloom from a trending event more quickly than watchdogs can track individual cases. This can make it difficult to stay informed, but users can mitigate the risks before they reach their networks by remaining vigilant while browsing and regularly updating security software.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read