Search engine optimization (SEO) has become the latest tool for attackers looking to lure in targets for phishing attacks.Researchers with security vendor Netcraft said that cybercriminals are increasingly looking to inject web pages with code designed to game search engines into prioritizing compromised content and redirecting users to attack sites.According to Netcraft analyst Andrew Sebborn, threat actors have been injecting otherwise legitimate web pages with URL keywords and embedded JavaScript code that is able to forward users to exploit pages.“The injected content is subtle, often invisible to site owners or casual visitors, but highly effective at influencing Google’s PageRank system. Sites are chosen by threat actors based on their reputational value, with links from .gov, .edu, and Country Code TLDs used to boost the credibility of their malicious content,” Sebborn explained.“These ccTLDs are desirable in SEO as Google assumes that the content of such a domain is more relevant than one without and prioritizes it for delivery in a search from that specific country.”According to Sebborn, SEO optimization is not only a useful tactic for cybercriminals who operate their own malware and phishing networks, but the technique can be a full occupation for enterprising criminals who can compromise sites en-masse and resell access.The Netcraft team found that on one darkweb marketplace known as Hacklink, SEO optimization services can sell for as little as $1 per site. In such cases the threat actor will offer the ability to inject already-compromised sites with select keywords and phrases aimed at generating search engine traffic and gaining priority placement in search results.In a typical attack, the compromised site and its URL are seeded with the keywords and injected JavaScript code, then redirects to an external site with the actual phishing pages or malware drop sites.The aim, according to Sebborn, is to keep the target in the dark as to what operations are actually taking place, keeping the illusion that a legitimate page related to their search query is being opened.Often, said Sebborn, the attackers will gain their initial infiltration through low-hanging fruit rather than complex exploit sequences. In particular, the cybercriminals prefer to target high-value websites such as online gambling portals that rely on user and are more likely to extract valuable details such as account numbers and credentials.“The attack begins with the compromise of a legitimate website, often through exposed admin panels or unpatched vulnerabilities,” Sebborn explained.“Once inside, the attacker injects JavaScript or HTML that contains a network of outbound links, each associated with specific keywords.“Sebborn told SC Media that there are some steps administrators can take to protect their sites from attack or to sniff out already active attacks."Site owners can check their site regularly for unnatural links with SEO tools. They may also arrange an alerting / watchdog system for such exploits," Sebborn explained."If and when detected, undesired links can be mitigated within the Google Search Console (with a disavow here) and within Bing Webmaster."
Phishing, Malware
Cybercriminals use SEO tricks to push phishing pages
(Adobe Stock)
Shaun Nichols
A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AdwareYou can skip this ad in 5 seconds