SEO Poisoning: The New Normal Brings New Threats

We all know how difficult it is to keep pace with cybersecurity trends and threats. Cryptojacking, DDoS attacks, ransomware, backdoors, SQL injection, phishing, malware… the list is extensive, and this handful of examples barely penetrates the surface.

Unfortunately, recognizing the attack vectors of today and staying vigilant has never been more important. The number of data breaches in 2021 has already soared past the figure recorded last year, even though attackers were able to ride on the coattails of the pandemic-induced disruption from March 2020 onwards.

The article read: “The non-profit’s figures for Q3 breach volumes came in at 446 incidents. Although this is lower than the 491 breaches reported in the second quarter, the total for the year-to-date is now 1291, versus 1108 in 2020.”

The volume of attacks is rising, and so too are the volume of techniques, as Menlo Security’s latest attack campaign monitoring efforts show.

We’ve observed SEO Poisoning gaining a little momentum of late, this being a somewhat lesser-known part of today’s threat actor arsenal.

SEO (short for search engine optimization) is typically a term used in the marketing world. By definition, it’s a technique used to improve the positioning of web pages in organic search results to drive more traffic to a website, drive greater visibility among prospects and customers and eventually (or hopefully) improve sales. Just as marketers are vying for the attention of web browsers, so too are cyber-criminals. This is where the darker side of SEO – SEO poisoning – comes in.

" Just as marketers are vying for the attention of web browsers, so too are cyber-criminals"

Here, attackers falsely inflate the search engine ranking of malicious webpages by injecting keywords, pushing them onto the first page of search results where possible to catch out unsuspecting victims.

Much of the danger lies in the fact that many of us rarely think about security when browsing at leisure. Indeed, approximately three in four people will never scroll past the first page of results, taking the assumption that websites that appear at the top of their searches are both credible and relevant.

Therefore, the opportunity for threat actors is clear, as we at Menlo have witnessed first-hand through tracking two prevalent SEO poisoning campaigns across our global customer base – Gootloader and SolarMarker.

Uncovering the Affected Websites

Our investigations uncovered 2000 unique search terms that directed to malicious websites in the search results.

It is worth noting that many of the search results that did so were highly niche terms such as ‘Sports Mental Toughness Questionnaire’ and ‘industrial-hygiene-walk-through-survey-checklist.’

Words like ‘questionnaire’ and ‘checklist’ suggest that users navigating to such pages may expect to be presented with a PDF, this being the exact attack vector that threat actors have been using in their SEO poisoning campaigns.

Users navigating to these pages are presented with the option to download a malicious PDF. Should they agree, they then experience a series of HTTP redirections before finally downloading a malicious payload ranging from 70–123 megabytes in size. The file size is significant. Indeed, this range exceeds the typical limits set by sandboxes and content inspection engines.

WordPress was the common platform that we observed in all instances, where the Formidable Forms plug-in was exploited – namely, the associated /wp-content/uploads/formidable/ directory.

A check of the plug-in’s changelog shows that a security update was issued after our monitoring campaign was concluded. However, it is unknown whether this addressed the problem associated with the initial vector in the SEO poisoning campaigns that we observed.

The majority of malicious websites we saw were fake business websites, yet there were many others, from those impersonating shopping, job search, travel sites to fake health and medicine webpages.

Alarmingly, we also found that several well-respected education and government sites were hosting malicious PDFs; Menlo thereafter took the necessary steps to inform all parties affected.

Adopting an Improved Security Strategy

It is clear that threat actors are adapting their practices to maximize their scope in the new normal. Indeed, SEO poisoning demonstrates the acknowledgment of attackers that remote and hybrid business models have resulted in increased use of the browser.

To better protect themselves, organizations need to react – and in many instances, they are. A recent survey of IT professionals showed that the majority of firms (75%) see remote workers accessing applications on unmanageable devices as a vulnerability. Further, more than half (53%) plan to reduce or limit third-party access to systems and resources over the next 12–18 months as a further means of protection.

Such statistics show that firms are willing to take greater action and adjust their security strategies to address modern threats. For those looking to make a start, we suggest zero trust and isolation technologies are vital tools in combating cybercrime.  

What’s Hot on Infosecurity Magazine?