Bart Lenaerts-Bergmans – May 4, 2023
Search engine optimization (SEO) poisoning and malicious advertising (malvertising) have increased significantly as more people use search engines than ever before. SEO poisoning affects both individuals and enterprises, yet many are unaware of the security threat it poses.
This article will discuss SEO poisoning—how it works, detection and prevention mechanisms, and mitigation strategies.
SEO poisoning is a technique used by threat actors to increase the prominence of their malicious websites, making them look more authentic to consumers. SEO poisoning tricks the human mind by assuming the top hits are the most credible and is very effective when people fail to look closely at their search results. This can lead to credential theft, malware infections, and financial losses.
Threat actors may even use targeted types of SEO poisoning, like spear-phishing, to go after specific users, like IT admins. The technique enables attackers to target and customize their attacks to specific audiences, making them more challenging to identify and defend against.
Malicious actors use a variety of techniques to accomplish SEO poisoning. One common method is typosquatting, which targets users who might open their browser and input a website address that has an inadvertent typo or click on a link with a misspelled URL. To exploit these minor user errors, attackers register domain names similar to legitimate ones.
Let’s consider an example. A user searches for TeamViewer (a program that allows remote connection to computers) by typing “team viewer” into their search bar. The user may hit the first result without looking too closely at the URL and be redirected to a fake website where they’re prompted to download malware-infected files.
Typosquatting domains are often featured at the top of the search results, making it likely that users will click on them.
Example of seo poisoning on a search engine result
Blackhat SEO refers to unethical tactics website owners use to boost search engine ranks, such as keyword stuffing, cloaking, search ranking manipulation, and using private link networks.
In January 2023, there were multiple incidents of fake installers distributed via SEO poisoning or malvertising. Cybercriminals used poisoned Google Ads to drop a Python-based malware that would steal information such as browser passwords and cryptocurrency wallets.
Fake installers and SEO poisoning remain popular among criminals for delivering malware. For example, recent incidents involved fake installers for OBS Studio or Notepad++ which loaded malware to steal sensitive information.
Identifying SEO poisoning can be difficult, but organizations can better prepare themselves by implementing typosquatting detection procedures using Digital Risk Monitoring tools. As soon as a new lookalike URL is created, DRM can inform security personnel with information about the owner.
Another method to detect malicious URLs is through usage of Indicators of compromise (IOC) IOC lists containing URLs can provide evidence on  suspicious website behavior, anomalous search engine rankings, phishing attempts, unexpected changes in website traffic, and suspicious content. The lists can be used as watchlists or blocklists for preemptive detection or blocking.
Endpoint detection and response (EDR) solutions are a good way to quickly spot IOCs, as they monitor and record user and client history. EDR tools can undertake forensic analysis and investigate all user activity during a breach to determine a malicious file’s entry into the system. Security teams can detect and contain SEO poisoning attacks by evaluating these data points.
Beyond monitoring methods, organizations can also take proactive steps to prevent SEO poisoning attacks.
User security training and awareness are critical in combating SEO poisoning attempts. Organizations may lower the chances of falling prey to these attacks by training staff on safe browsing practices, phishing awareness, and effective endpoint security measures.
Implementing a solid internal security posture and blocking known malicious sites can aid in preventing SEO poisoning attempts. Organizations can reduce the risk of employees visiting dangerous websites by frequently upgrading security software and establishing rigorous web filtering procedures.
Regularly disclosing abnormal SEO results to your security team allows for rapid identification and response to any SEO manipulation attempts. It can also help ensure that the company can proactively protect its search engine rankings and online reputation.
To reduce the risk of SEO poisoning attacks, organizations can use typosquatting detection tools like CrowdStrike Falcon Intelligence Recon to identify whether a variation of their domain is already in use by someone else.
The 2023 Global Threat Report highlights some of the most prolific and advanced cyber threat actors around the world. These include nation-state, eCrime and hacktivist adversaries. Read about the most advanced and dangerous cybercriminals out there.
This article discussed SEO poisoning, a technique cybercriminals use to distribute malware, steal credentials, and engage in illegal activities. Individuals and businesses must be aware of the hazards and take proper measures to protect themselves, such as conducting regular security assessments, educating staff and customers, and implementing endpoint detection and response systems.
CrowdStrike Falcon Insight XDR is an endpoint detection and response system that includes real-time response, enabling security teams to detect SEO poisoning instantly. To get started, check out the free CrowdStrike Falcon trial.
Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.

source