What is the most common goal of search engine optimization (SEO poisoning)

Attacks involving SEO poisoning -- where adversaries artificially increase the search engine ranking of websites hosting their malware to lure potential victims -- are on the rise.

In the past few months, attackers have used the tactic in at least two campaigns across Menlo Security's global customer base, researchers there say: one to distribute the REvil ransomware sample and the other to drop a backdoor called SolarMarker.

The attacks highlight recent efforts by threat actors to target users instead of organizations in their malicious campaigns, Menlo Security said in a report this week. The security vendor described the trend as likely being driven by adversaries seeking to take advantage of the current remote work environment where the lines between personal and business device use have blurred.

In search engine optimization [SEO] poisoning attacks, adversaries first compromise legitimate websites and then inject specific keywords into the website that users might commonly search for via their preferred search engine. The goal in injecting the keywords is to ensure that the compromised website surfaces near or on top of search engine results when a user searches for something using the keywords. 

In the SolarMarker campaign that Menlo Security observed, users who clicked on the poisoned link were directed to a malicious PDF hosted on the compromised site and eventually ended up with the backdoor on their systems.

Menlo Security said it observed over 2,000 unique search terms that led users to sites hosting SolarMarker. Examples included "blue-jacket-of-the-quarter-write-up-examples," "industrial-hygiene-walk-through-survey-checklist," and "Sports Mental Toughness Questionnaire." The campaign targeted users across numerous industry verticals, including automotive, retail, financial services, manufacturing, transportation, and telecommunications. 

Websites hosting the malicious PDF were scattered around the world. While many were in the US, the security vendor said it noticed sites in countries such as Iran and Turkey that were also being used in the campaign. Sites serving the malicious PDF included government websites and domains belonging to well-known educational institutions, the security vendor said.

Vinay Pidathala, director of security research at Menlo Security, says that when adversaries choose what keywords they want to use in an SEO poisoning campaign, they likely start off with terms that are of interest to users within specific industries they might be targeting. 

"In the [approximately] 2,000 search terms we noticed, we consistently saw customers searching for terms related to their industries," Pidathala says. "One theory is that they could be using some sort of A/B testing, where initially they use a wide range of search terms, monitor the efficacy of each of these search terms, figure out which search terms are more widely searched for, and then later weaponize it."

High Rate of Success
Pidathala describes SEO poisoning as a relatively effective way for attackers to distribute malware or lure users to malicious sites. In both the campaigns that Menlo Security recently observed — REvil and SolarMarker — a relatively high percent of users clicked on the malicious link in the search engine results, he says. 

"Specifically in the SolarMarker campaign, we saw that about 42% of users who searched for a certain term eventually ended up clicking on the link in the malicious PDF, which would drop the malware — [proving] the effectiveness of this campaign," he says.

Menlo Security said that all the compromised websites in the SolarMarker campaign were WordPress sites that contained a plug-in called Formidable Forms. It's unclear, however, whether the plug-in played any role in allowing the attackers to break into the sites. 

"We are neither sure if Formidable Forms was compromised or if there was a vulnerability in Formidable Forms," Pidathala says. "We are merely pointing out that in all the WordPress sites we observed, this was the common plug-in installed."

The attackers also employed a relatively simple evasion technique — using large-sized payloads — to try and sneak SolarMarker past anti-malware tools. 

"The largest payload we observed was 123MB," Pidathala says. "Unfortunately, tools tend to have a file size limit on what they can or cannot analyze."

Search engine optimization poisoning [SEO poisoning] is a term used to describe two types of activities:

• Illegitimate techniques used to achieve high search engine ranking, usually [but not only] to attack visitors
• Exploiting vulnerabilities on existing high-ranking web pages and using them to spread malware

SEO poisoning may be used by legitimate websites to unfairly increase their ranking as well as by malicious sites [or legitimate sites that were compromised] to target visitors. If the intent is malicious, the assailant aims to install malware such as trojans, attack the user’s machine, or trick the user into providing sensitive data.

Malicious SEO poisoning is about reaching a lot of people quickly and easily. Therefore, such attacks often follow trending search terms. For example, there were SEO poisoning attacks during natural disasters, when attackers attempted to have victims send monetary aid to fake accounts. There were also such attacks during major political campaigns and other major world events.

Using Blackhat SEO

The term blackhat SEO relates to all the techniques that are used to trick the search engine to achieve high search ranking. Search engines change their ranking algorithms constantly and different search engines use different ranking methods. Therefore, blackhat SEO techniques must keep evolving as well.

In the past, the most prominent technique was called keyword stuffing. Search engines ranked websites just on the basis of keywords, which could be placed anywhere: both in meta tags and in the content of the website. The content itself did not even have to make sense. Therefore, blackhat SEO often meant, for example, creating text fragments that were invisible to the visitor [white text, white background, small font] with as many keywords as possible.

Another technique [still sometimes in use today] is based on creating cross-links between many sites with the link text containing target keywords. Millions of fake pages were created just for the purpose of building such cross-links. Today, this is not an effective technique in most cases. Top engines such as Google and Bing still consider cross-links during ranking, but they are not as important as other aspects.

Using Blackhat SEO for Malicious Purposes

One of the most common tricks used as part of blackhat SEO is creating scripts that recognize if the website is visited by a search engine crawler or by a real visitor [usually based on the user-agent]. If the first page is visited by a crawler, high-ranking content is served.. If the first page is visited by a user, malicious content is served instead, usually using JavaScript and/or redirections.

To attack visitors, cybercriminals use different methods. They create malicious code and try to exploit vulnerabilities in web browsers. They attempt clickjacking or social engineering, for example luring the user into downloading and executing malware such as a fake antivirus [often called scareware]. They pretend to sell a product that does not exist to steal personal data and credit card numbers. There were even cases when large corporations were targeted by such scams: corporate users were tricked into providing personal information, which was then used in social engineering attacks against the corporation.

Exploiting Vulnerabilities

It is not easy to quickly attain a high ranking for a malicious website via blackhat SEO. That is why some cybercriminals try to use existing high-ranking websites to spread malicious content. To do this, they exploit typical web vulnerabilities, for example, Cross-site Scripting [XSS].

If a high-ranking web page has, for example, a stored XSS vulnerability, the attacker may introduce JavaScript code that is executed by every visitor. This code may either directly attempt to spread malware or redirect the user to a different website that is created for malicious purposes [the same ones as in the case of blackhat SEO].

For example, if a new vulnerability is discovered in a common WordPress plugin, the criminal searches for popular terms and checks if the highest-ranking websites are based on WordPress and vulnerable. If so, they introduce malicious code, often reaching millions of users. This is actually one of the most common ways that criminals exploit known vulnerabilities.

Defending Against SEO Poisoning Attacks

To defend your business against all types of SEO poisoning attacks, you should adopt the following best practices:

• First of all, educate your users not to visit unknown websites and always pay attention to the URL in search engine results.
• Maintain end-user security solutions, such as good antivirus software or filter out potentially malicious pages centrally, forcing the users to use a local web proxy.
• Keep your websites and web applications secure and free of any web vulnerabilities. For this purpose, use a web vulnerability scanner regularly and preferably at the earliest possible stage of website development.
• If you notice that a malicious site is attempting to undermine your SEO position, immediately report it to the search engine to have the result removed.

Tomasz Andrzej Nidecki [also known as tonid] is a Technical Content Writer working for Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.

Related Posts:

• Cross-site Scripting [XSS]
• Types of XSS: Stored XSS, Reflected XSS and DOM-based XSS
• What Is Persistent XSS
• How To Defend Against Clickjacking Attacks

Recent Articles By Author

• Path traversal in Java web applications – announcing the Invicti technical paper
• Can you afford to cut back on web application security?
• Why the Log4Shell vulnerability will never become yesterday’s news

*** This is a Security Bloggers Network syndicated blog from Web Security Blog – Acunetix authored by Tomasz Andrzej Nidecki. Read the original post at: //feedproxy.google.com/~r/acunetixwebapplicationsecurityblog/~3/-OMl45YDNmQ/

What is SEO poisoning?

What is the target of search engine Optimisation?

What is SEO poisoning and why is a tactic of cyber criminals?

What is search engine Optimisation SEO and why is it important?