Search engine optimization (SEO) poisoning has been around for as long as internet users have been using search engines. The attack, which is making a bit of a comeback recently, involves manipulating search engine results to drive users from legitimate websites to sites that serve up malware, identity theft tools and even fake news.

In recent weeks, cybersecurity vendor Zscaler has reported an uptick of SEO poisoning attacks. About 10,000 such websites targeted searches about November’s U.S. midterm elections.

Same Scheme, Different Name

Attackers used various techniques to trick search engines into elevating webpages that serve up pornography, advertising, and political or religious content, the Zscaler researchers reported.

“SEO poisoning is a new term for a very old problem: People trying to get you to go to their webpage rather than what you really want,” said Ty Belknap, a network engineer and author of “Timeless SEO Secrets.” “It’s been around almost as long as websites have, and search engines still have difficulty stopping it.”

The technique is most effective during special events like the Olympics, World Cup or an upcoming election, added Joseph Carson, chief security scientist at cybersecurity vendor Thycotic. During natural disasters, he said, criminals often use SEO poisoning methods to trick people into sending aid to them instead of victims.

“SEO poisoning is typically time-based, so it has a limited set of time that the malicious content would be available on the top of the search results,” Carson explained. “The technique of using SEO poisoning is very concerning as most people trust the search results from Google and have an expectation that when something appears on the top page of the search results, it is assumed that is has been vetted and is authentic.”

How Does SEO Poisoning Work?

Attackers use various techniques to move their pages up in search engine rankings. In some cases, attackers flood their websites with keywords, although most search engines have gotten wise to this technique.

In other scenarios, attackers use so-called cloaking techniques to deliver different web content to a user than it does to a search engine spider. Yet another method involves building layers of websites that link to each other in an effort to trick search engines into ranking them higher.

Malware distribution and information theft are the top goals of SEO poisoning, so attacks can create problems for both individual internet users and corporate networks. According to Carson, this tactic is frequently used to compromise companies’ sensitive information.

“It is a common method using SEO poisoning to steal employee credentials so the cybercriminal can abuse that information to gain access bypassing a company’s existing security controls,” he explained.

Such an attack can also damage a business’ brand reputation if customers end up at a poisoned site instead of the real one.

“If they have been a victim of SEO poisoning,” Carson posited, “then how can customers trust the service in the future if they have no confidence that they are on the company’s actual legitimate website?”

Why Users Must Stay Vigilant

Users can protect themselves by using an up-to-date browser that warns them if they try to access insecure websites. Google, in particular, has pushed legitimate websites to use Hypertext Transfer Protocol Secure (HTTPS), the secure form of Hypertext Transfer Protocol (HTTP), and has begun warning users when they surf to insecure sites.

Internet users and organizations should also install antivirus tools that warn them of sites serving up bad code. In addition, users should pay special attention to the URLs of the websites they see in all search results. If a website serves up a pop-up asking you to opt into something, read it carefully before taking action.

SEO poisoning can bloom from a trending event more quickly than watchdogs can track individual cases. This can make it difficult to stay informed, but users can mitigate the risks before they reach their networks by remaining vigilant while browsing and regularly updating security software.

More from Application Security

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today