Browse Definitions :

SEO poisoning (search poisoning)

What is SEO poisoning (search poisoning)?

SEO poisoning, also known as search poisoning, is a type of malicious advertising (malvertising) in which cybercriminals create malicious websites and then use search engine optimization (SEO) techniques to cause the sites' links to show up prominently in search results, often as ads at the top. Because of their prominence in the results, users often assume that the links connect to websites that are legitimate and safe.

One of the main reasons that threat actors use SEO poisoning is to get site visitors to inadvertently download malware onto their systems. For example, users might click a link to a malicious website that looks like a webpage for downloading a familiar app. When they go to the site, they're prompted to download a malicious file, thinking it's the application they're after. Once the malware is installed on their systems, it might record keystrokes, take over their computers or spread to other devices on the network, leaving a company vulnerable to ransomware, compromised data or other threats.

Threat actors might also use SEO poisoning to get users to reveal sensitive information, such as credit card numbers, login credentials or personally identifiable information (PII). A user might, for example, click a link to what appears to be an online store, intending to make a purchase. The link instead takes the user to a malicious website that looks nearly identical to the real store or at least looks credible enough to appear trustworthy. There the user is prompted for a name, address and credit card number, information that is quickly sold to the highest bidder.

diagram illustrating types of malware
SEO poisoning tricks victims into going to fraudulent websites to infect them with malware or fraudulently access sensitive information.

Not all malicious websites try to duplicate credible sites. They might be created only to host content filled with terms that large numbers of people are likely to include in their searches, such as phrases related to news items or viral videos.

Threat actors might also create websites with names and descriptions associated with popular or trending topics. For example, in the weeks leading up to Halloween, cybercriminals might launch sites offering free templates for Halloween costumes. Or in the month before Christmas, they might launch holiday recipe sites. The websites might be devoid of relevant content or might feature content stolen from valid sites. Their only purpose is to infect visitors with malware or fraudulently access sensitive information.

An example of SEO poisoning is when the SolarMarker malware was being distributed as malicious PDF files through fake SEO-focused topics in Google Groups. Discovered in late 2020, the malware would be embedded in a site that would appear near the top of Google search results due to the threat actors' SEO poisoning. It aimed to get victims to click a link to download a fake Windows installer running a PowerShell script.

screenshot of SolarMarker infected PDF
Example of an SEO-poisoned PDF used by SolarMarker actors to lure users into downloading a fake Windows installer.

The rising tide of SEO poisoning

In January 2023, cybersecurity firm SentinelOne published a blog post by Tom Hegel, warning of an increase in SEO poisoning attacks. The company found that, in most attacks, the threat actors were trying to infect user systems with commodity malware. According to the post, the criminals were most successful when they used SEO poisoning to impact the search results for "popular downloads associated with organizations that do not have extensive internal brand protection resources."

To illustrate this concept, Hegel pointed to the ongoing SEO poisoning campaign associated with the Blender 3D graphics app. He included several examples of rogue ads at the top of the Google search results that linked to malicious websites. Hegel also noted that the malicious ads quickly shifted between searches, suggesting that the cybercriminals were automating their attacks at scale. The automation appeared to apply to both the SEO poisoning itself as well as to the malicious domains being created.

In February 2023, Cybereason published an alert about the GootLoader malware. The alert outlined how SEO poisoning was being used to spread the malware through fraudulent websites. GootLoader typically relies on JavaScript to infect the systems of unsuspecting users who were directed to the malicious sites through search engine ad links. Such ads might also be used to link users directly to the infected malware.

In April 2023, BlackBerry published its "Global Threat Intelligence Report," which covered the period from December 2022 through February 2023. According to the report, SEO poisoning increased during the reporting period, especially in the healthcare industry. The report also concluded that SEO poisoning is becoming more widespread and is expected to grow.

In June 2023, the Health Sector Cybersecurity Coordination Center (HC3) of the U.S. Department of Health and Human Services (HHS) published an analyst note that warned about the rising use of SEO poisoning against the healthcare and public health sector. According to the report, cybercriminals carry out their attacks by leveraging hacker SEO techniques, which are unethical tactics used by website owners to boost their search engine rankings. For example, they might use tactics such as cloaking, keyword stuffing, search ranking manipulation or private link networks to boost their search engine ranks.

The HHS analyst note also warns that hacker SEO techniques are being used along with typosquatting, another method for misdirecting users to malicious websites. Threat actors use typosquatting to target those who misspell URLs when entering them into their browsers. The threat actors set up domains with names that match the misspellings and then wait for users to come to their sites. When typosquatting is combined with SEO poisoning, however, links to the malicious websites often appear near the top of the search results, making it more likely that users will click them because the addresses are so close to the real thing.

Security experts offer several recommendations to users who want to protect themselves against SEO poisoning attacks. Users should keep their browsers and antivirus software up to date, avoid clicking suspicious-looking links, and never provide personal information online unless they're certain the site is valid and the transaction is secure.

Learn more about search engine poisoning and how poisoned results are detected.

This was last updated in October 2023

Continue Reading About SEO poisoning (search poisoning)

  • local area network (LAN)

    A local area network (LAN) is a group of computers and peripheral devices that are connected together within a distinct ...

  • TCP/IP

    TCP/IP stands for Transmission Control Protocol/Internet Protocol and is a suite of communication protocols used to interconnect ...

  • firewall as a service (FWaaS)

    Firewall as a service (FWaaS), also known as a cloud firewall, is a service that provides cloud-based network traffic analysis ...

  • identity management (ID management)

    Identity management (ID management) is the organizational process for ensuring individuals have the appropriate access to ...

  • single sign-on (SSO)

    Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials -- for ...

  • fraud detection

    Fraud detection is a set of activities undertaken to prevent money or property from being obtained through false pretenses.

  • change management

    Change management is a systematic approach to dealing with the transition or transformation of an organization's goals, processes...

  • IT project management

    IT project management is the process of planning, organizing and delineating responsibility for the completion of an ...

  • chief financial officer (CFO)

    A chief financial officer (CFO) is the corporate title for the person responsible for managing a company's financial operations ...

  • core HR (core human resources)

    Core HR (core human resources) is an umbrella term that refers to the basic tasks and functions of an HR department as it manages...

  • HR service delivery

    HR service delivery is a term used to explain how an organization's human resources department offers services to and interacts ...

  • employee retention

    Employee retention is the organizational goal of keeping productive and talented workers and reducing turnover by fostering a ...

Customer Experience
  • martech (marketing technology)

    Martech (marketing technology) refers to the integration of software tools, platforms, and applications designed to streamline ...

  • transactional marketing

    Transactional marketing is a business strategy that focuses on single, point-of-sale transactions.

  • customer profiling

    Customer profiling is the detailed and systematic process of constructing a clear portrait of a company's ideal customer by ...