Getty Images
What is SEO Poisoning, How Can Healthcare Defend Against It?
Threat actors lure victims into clicking on seemingly credible links by optimizing malicious web pages through a tactic known as SEO poisoning.
It is reasonable to assume that the first few links that pop up as a result of an inquiry on a search engine are the most credible. In fact, thanks to search engine optimization (SEO), the first results often are the most reliable sources. However, cyber threat actors are cognizant of this and are more than willing to take advantage of an internet user’s assumed trust in these search results.
Using SEO poisoning, cybercriminals leverage tried-and-true SEO tactics to craft malicious websites and make sure that they rank highly in search results. When a user clicks on that link, they may make themselves vulnerable to malware, credential theft, and other forms of compromise.
HHS issued an analyst note in June 2023 warning healthcare entities to remain vigilant against SEO poisoning as it continues to become a more significant threat in the sector. Defending against this tactic requires an understanding of common SEO poisoning methods, known attacks against healthcare, and key safeguards to protect individuals and organizations from this cyberattack method.
SEO Poisoning Explained
“SEO poisoning attacks consist of altering search engine results so that the first advertised links actually lead to attacker-controlled sites, generally to infect visitors with malware or to attract more people using ad fraud,” HHS explained in an analyst note on the topic.
“A user who does not read the URL (web address) closely or is unsure of the exact URL of the software might click on any of those attacker-controlled domains, which could result in a compromise.”
One of the most common types of SEO poisoning is typosquatting, HHS noted. Typosquatting relies on a user misspelling a URL, leading them to a malicious website.
“An example of this would be a user searching a keyword in their web browser. The user may hit the first result without looking too closely at the URL—which can contain misspellings like ‘Goggle’ instead of ‘Google’ or characters that look similar like ‘1’ instead of ‘l’—and be redirected to a fake website where they are prompted to download malware-infected files,” HHS stated.
Domains featuring typosquatting may appear at the top of search results thanks to blackhat SEO, HHS continued, citing a blog post by CrowdStrike. Threat actors use blackhat SEO, or unethical SEO tactics, to boost search engine rankings using a variety of tactics, from keyword stuffing to private link networks.
Keyword stuffing involves cramming random keywords into the text of a webpage in order to trick search engine algorithms into ranking the website higher. Another method is cloaking, in which different content is provided to search engine crawlers than users who actually click the link.
“This method utilizes bots or humans to search for keywords and generate fake clicks for a particular website,” CrowdStrike noted.
Threat actors may also artificially increase a site’s click-through rates to boost rankings or use private link networks to string a group of unrelated websites together and backlink them to one main site.
Using common SEO tactics and manipulating search engine rankings allows threat actors to achieve their goals of obtaining sensitive data and taking advantage of victims for financial gain. A growing list of reported attacks using SEO poisoning shows that this technique is not going away any time soon and poses a direct threat to healthcare.
How SEO Poisoning Threatens Healthcare
“As more organizations utilize search engines and healthcare continues to digitally transform, SEO poisoning is becoming a larger security threat,” HHS stated. “HC3 has observed this attack method being used recently and frequently against the U.S. Healthcare and Public Health (HPH) sector.”
In February 2023, Cybereason released a report about new deployment methods of GootLoader malware and an observed uptick in SEO poisoning.
“GootLoader generally relies on JavaScript for its infections. It also uses SEO poisoning techniques to place its infected pages in internet browser search results. That way, it will change how potential victims see them by presenting different websites whenever your link is clicked,” the report explained.
“SEO Poisoning and Google service abuse like Google Ads are becoming a trend amongst malware operators to distribute their payloads.”
Cybereason observed these techniques impacting the healthcare and finance sectors in particular.
In one of BlackBerry’s quarterly Global Threat Intelligence Reports, issued in April 2023, the company predicted an increase in SEO poisoning in healthcare in the coming months.
“As digitization grows, the healthcare industry—including device manufacturers, software and network solution providers, and healthcare providers—must prioritize cybersecurity throughout their infrastructure to meet regulatory requirements and safeguard patient data,” BlackBerry stated.
Like HHS, BlackBerry pointed to the rise of digital transformation as a contributing factor to the increasing risk of SEO poisoning. While digital transformation can help organizations improve operational efficiencies and security in the long-run, the process of implementation may leave gaps in an entity’s security architecture.
As healthcare organizations continue to embark on digital transformation journeys, network defenders must adapt to a new set of digital threats.
Mitigating the Risks of SEO Poisoning
Defending against SEO poisoning can be challenging, HHS acknowledged in its analyst note. However, there are concrete steps that organizations can take to mitigate risk, such as implementing typosquatting detection procedures.
“Organizations should carefully check every new domain that is registered on the Internet that contains similarities with any of their brands or names,” HHS advised.
“As attackers often register domain names that are very similar to the legitimate ones, it is possible to detect them quickly in most cases, immediately analyze the situation, and take action to mitigate the risk.”
What’s more, healthcare organizations may leverage indicators of compromise (IOC) lists to detect known malicious URLs. IOC lists can keep organizations abreast of phishing attempts, changes in website traffic, and unusual search engine rankings.
Keeping web filtering technology up-to-date is crucial to mitigating risk and preventing users from accessing malicious links. In addition, employee security training and awareness can go a long way in helping users recognize the warning signs and avoid falling victim to a threat actor’s tactics.
Awareness of SEO poisoning is the first step. Encouraging users to inspect links and prioritizing threat detection and risk management are key to defending against SEO poisoning.