Search engines have transformed the way we seek out information. With a few simple clicks, the answers to our questions are right at our fingertips.

By providing us with convenient access to unlimited information, search engines have also taught us how to discern the results of our queries. Highly ranked results are viewed as more trustworthy, while less popular information appears as we scroll further down.

This conventional wisdom has compelled many businesses to vie for those prized top spots. The results can be gamed to an extent, of course, but we largely assume that the search engine is putting forth credible information. Unfortunately, threat actors are capitalizing on the blind trust we put in search results by hiding malicious websites in plain sight as part of an attack tactic known as SEO poisoning.

Coalition Incident Response (CIR)* has recently observed SEO poisoning attacks in the wild and is actively encouraging all internet users to exercise caution when clicking on links in search engine results. Here’s what you need to know.

What is SEO poisoning?

Search engine optimization (SEO) is a strategic approach to make a web page rank higher in a search engine. To determine which pages rank at the top, most search engines rely on algorithms that consider various factors, such as relevance, content quality, and site speed.

SEO poisoning is a technique that leverages search engines to trick users into clicking links that appear legitimate but are actually malicious, which threat actors then use to carry out different types of cyber attacks.

Threat actors are capitalizing on the blind trust we put in search results by hiding malicious websites in plain sight as part of an attack tactic known as SEO poisoning.

How SEO poisoning works

Threat actors can manipulate search engine algorithms in different ways to make their malicious pages, which are created to spoof real pages, rank highly. Some use traditional SEO strategies to increase a page’s relevance, while others may pursue more nefarious tactics to yield results.

Common SEO poisoning tactics include:

• Keyword stuffing and backlinks: Jamming specific terms or URLs into a page’s text or meta description can manipulate search engines into ranking a page higher.

• Hijacking websites: Injecting malicious content or links into a legitimate site, rather than creating a new page, can be a quick way to leverage established credibility.

• Link farms and networks: Using humans or bots to manufacture site traffic and artificially boost search engine rankings can influence a page’s popularity. 

In hopes of a larger payday, threat actors may also target specific personas or industries by selecting certain keywords and websites their desired victims will likely search. Once a victim visits the malicious site, the threat actor’s goal is to force them to download malware or other harmful files.

Threat actors can manipulate search engine algorithms in different ways to make their malicious pages, which are created to spoof real pages, rank highly.

Case study: SEO poisoning targets cryptocurrency

SEO poisoning attacks may target websites and keywords associated with specific industries, like cryptocurrency, due to the potential financial access they afford. In one recent case, an individual lost more than $900,000 after clicking a malicious link.

CIR obtained a forensic image of the victim’s workstation as part of our investigation. Using a virtual machine and a misattributed system, we simulated the circumstances and actions that led to the SEO poisoning attack.

At the time of the incident, the victim was gathering tax statements from cryptocurrency exchanges. Rather than entering the exact URL, they typed “Binance” into a search engine. The top result showed what appeared to be a link to the crypto exchange. However, the link actually resolved to a fake, malicious website. 

The fake Binance sign-in page prompted the victim to enter an email address, then a phone number. Once the phone number was entered, a false phone verification popup window appeared, providing the option to call and verify the sign-in.

When the victim clicked “Call Me,” another window popped up and claimed the victim’s account had been compromised and that the victim would be connected to tech support for assistance.

While an unknown threat actor reached by phone, the victim was redirected to a website that automatically downloaded a remote monitoring and management (RMM) tool. Once the RMM tool was downloaded, the threat actor instructed the victim to sign into their account, where the fake “security alert” was experienced, leading to an account compromise.

How to prevent SEO poisoning attacks

CIR observed a threat actor using SEO poisoning to harvest credentials to a crypto account, which eventually led to a fraudulent transfer. However, SEO poisoning is also commonly used to deploy malware or ransomware.

We consistently warn businesses (and employees) about opening suspicious emails — and that same level of vigilance must be applied to clicking hyperlinks on the public internet. Businesses can help protect themselves from SEO poisoning attacks through employee education and digital monitoring tools: 

• Security awareness training: As part of any cybersecurity compliance training, businesses should educate employees about SEO poisoning attacks, particularly the cyber risks associated with downloading files from the internet. Even a brief pause of scrutiny regarding the link you are about to click can save the day. 

• Password managers: In addition to generating strong and unique passwords for each site, password managers typically only auto-fill credentials on websites with matching domain names. If a user is tricked into visiting a malicious site, the password manager wouldn’t auto-fill credentials if the domain doesn't match the stored one, hopefully triggering the user to question the site’s legitimacy.

• Website security: Businesses can implement numerous web security tools to identify and prevent websites from serving malicious content. In particular, firewalls that provide URL filtering on newly registered domains can provide protection against establishing connections to malicious sites.

• Endpoint security solutions: Endpoint detection and response (EDR) tools and managed detection and response (MDR) services can help businesses identify and block attempted infections by malware delivered via SEO poisoning attacks. Ensuring visibility across the whole network is critical — just keep in mind that not all endpoint security solutions are created equal. 

To learn more about active, AI-powered security tools and services from Coalition, visit coalitioninc.com/security.

*Coalition Incident Response services provided through Coalition’s affiliate are offered to policyholders as an option via our incident response firm panel. The claim scenarios described here are intended to show the types of situations that may result in claims. These scenarios should not be compared to any other claim. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued and applicable law. Facts may have been changed to protect the privacy of the parties involved.

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites.