SEO poisoning

What is SEO poisoning?

Search engine optimization poisoning (SEO poisoning) means obtaining a high search engine ranking through dishonest means. Legitimate websites may use it to artificially boost their popularity. If done with malicious intent, SEO poisoning can be used by cybercriminals to install malware such as ransomware or trojans on the user’s machine, gain remote access to the victim’s device, or mislead the user into supplying sensitive information such as authentication details. When successful, this could eventually result in a data breach. The same term is sometimes applied to exploiting vulnerabilities on high-ranking legitimate web pages.

Cybercriminals use SEO poisoning campaigns to rapidly and easily contact a large number of people, making popular search terms a frequent target. For example, natural disasters are often accompanied by SEO poisoning efforts where the perpetrators attempt to deceive victims into sending them monetary aid. Similar attacks have been seen during significant political campaigns and other major world events, such as the COVID-19 pandemic.

SEO poisoning using blackhat SEO

The term blackhat SEO refers to all techniques used to deceive search engines to attain a high search ranking. Search engine ranking algorithms are constantly changing and different engines employ different ranking methodologies, so blackhat SEO strategies must evolve as well.

Previously, the most common practice was keyword stuffing. This was when search engines assessed websites only on the basis of keywords, which could be inserted anywhere, including meta tags as well as actual website content. In those early days, the content did not even need to make sense. As a result, blackhat SEO frequently meant stuffing as many keywords as possible into text fragments that were invisible to the visitor (often white text in small font on a white background).

Another strategy (which is still used occasionally today) is to create cross-links across multiple sites, with the link text containing desired keywords. Millions of such link farms have been produced solely to generate large numbers of cross-links. In most cases, this is no longer an effective strategy. Cross-links are still considered by top engines such as Google Search and Bing, but they are now less important for ranking, and link farms are generally detected and downranked.

Although blackhat SEO is not illegal, it is unethical. The majority of blackhat SEO pages are not malicious but may include clickbait pages that make money by displaying adverts to a huge number of visitors or monetizing visits in another way.

Using blackhat SEO for malicious purposes

One of the most popular attack methods used by malicious hackers for blackhat SEO is to create scripts that detect whether a website is being accessed by a search engine crawler or a human (typically based on the User-Agent header). When a crawler visits the page, highly relevant material is served to achieve a good search ranking. If an actual user visits the same URL, malicious content is served instead, usually through the use of JavaScript and/or redirections.

To capitalize on the web visits gained through blackhat SEO, cybercriminals write harmful programs and attempt to exploit weaknesses in web browsers to attack visitors. They use clickjacking or social engineering to trick users into downloading and running malware, such as a phony antivirus (also known as scareware). They may claim to sell a non-existent product in order to obtain personal information and credit card numbers. In the past, such scams have also targeted huge corporations, with corporate users duped into submitting personal information that was then used for social engineering attacks against the organization.

SEO poisoning by exploiting vulnerabilities

It is difficult to quickly achieve a high position for a malicious website through blackhat SEO. As a result, some fraudsters attempt to propagate dangerous content through existing high-ranking websites. To do this, they take advantage of common web vulnerabilities, such as cross-site scripting (XSS).

If a high-ranking web page has a stored XSS vulnerability, for example, the attacker may inject JavaScript code that is executed by every visitor’s browser. This code may either attempt to transmit malware directly or redirect the user to a different malicious website (similar to blackhat SEO).

For example, if a new vulnerability is disclosed in a widely-used WordPress plugin, cybercriminals may check if high-traffic sites that rank highly for popular search phrases are built on WordPress and vulnerable. If so, they can attack a site and inject malicious code that can quickly reach millions of users. This is one of the most common reasons for criminals to exploit known website vulnerabilities.

How to detect SEO poisoning?

SEO poisoning through blackhat SEO techniques affects search engines, not your websites or applications, so it is beyond the application owner’s control. On the other hand, SEO poisoning performed by exploiting XSS and other vulnerabilities in your web apps could have a direct impact on your reputation. The optimal method for detecting such flaws depends on whether they are already known or unknown.

  • If you only use commercial or open-source web applications and do not develop web applications of your own, it may be enough to identify the exact version of the application you are using. If the identified version is susceptible to vulnerabilities such as XSS, you can assume that your website is vulnerable. You can identify the version manually or use a suitable security tool, such as a software composition analysis (SCA) solution.
  • If you develop your own web applications or want the ability to potentially find previously unknown vulnerabilities (zero-days) such as XSS in known applications, you must be able to successfully exploit the vulnerability to be certain that it exists. This requires either performing manual penetration testing with the help of security researchers or using a security testing tool (scanner) that can use automation to exploit web vulnerabilities. Examples of such tools are Invicti and Acunetix by Invicti. We recommend using this method even for known vulnerabilities.

How to prevent SEO poisoning?

To protect your business from all sorts of SEO poisoning attacks, implement these best practices:

  • Educate your end users to avoid visiting unknown websites, clicking potentially malicious links, running downloaded executables, or opening ZIP files without IT approval. Users should also be trained to always pay attention to the URL in search engine results.
  • Maintain endpoint security solutions, such as antivirus software, or centrally filter out potentially malicious URLs by enforcing local web proxies for users.
  • Maintain the security and safety of your websites and web apps. Use a DAST tool on a regular basis, preferably from an early stage of website development.
  • If you find a malicious site trying to undermine your SEO position, report it to the search engine operator immediately to get the result removed.

Frequently asked questions

What is SEO poisoning?

SEO poisoning is a cybersecurity expression that can refer to one of two things: blackhat SEO (using unethical tricks to rank high in search engines) or exploiting weaknesses in high-ranking pages to spread malware or redirect traffic. Persistent XSS is one of the most popular types of vulnerabilities exploited in such scenarios.
Learn more about persistent cross-site scripting, which may be used for SEO poisoning.

How dangerous is SEO poisoning?

If your compromised website is used in an SEO poisoning cyberattack, it could have serious consequences for your reputation. Your users, clients, and prospects could be served dangerous payloads and get infected with malware such as ransomware as a result.
Read more about how web application security is important to avoid ransomware attacks.

How to prevent SEO poisoning?

Eliminate online vulnerabilities in your websites and web apps to prevent threat actors from using your assets for SEO poisoning. Pay special attention to cross-site scripting vulnerabilities, which are the security flaws most likely to be exploited in phishing or SEO poisoning campaigns.
Find out how to prevent cross-site scripting vulnerabilities.

Written by: Tomasz Andrzej Nidecki, reviewed by: Benjamin Daniel Mussler