Search engine optimization poisoning (SEO poisoning) is a term used to describe two types of activities:
- Illegitimate techniques used to achieve high search engine ranking, usually (but not only) to attack visitors
- Exploiting vulnerabilities on existing high-ranking web pages and using them to spread malware
SEO poisoning may be used by legitimate websites to unfairly increase their ranking as well as by malicious sites (or legitimate sites that were compromised) to target visitors. If the intent is malicious, the assailant aims to install malware such as trojans, attack the user’s machine, or trick the user into providing sensitive data.
Malicious SEO poisoning is about reaching a lot of people quickly and easily. Therefore, such attacks often follow trending search terms. For example, there were SEO poisoning attacks during natural disasters, when attackers attempted to have victims send monetary aid to fake accounts. There were also such attacks during major political campaigns and other major world events.
Using Blackhat SEO
The term blackhat SEO relates to all the techniques that are used to trick the search engine to achieve high search ranking. Search engines change their ranking algorithms constantly and different search engines use different ranking methods. Therefore, blackhat SEO techniques must keep evolving as well.
In the past, the most prominent technique was called keyword stuffing. Search engines ranked websites just on the basis of keywords, which could be placed anywhere: both in meta tags and in the content of the website. The content itself did not even have to make sense. Therefore, blackhat SEO often meant, for example, creating text fragments that were invisible to the visitor (white text, white background, small font) with as many keywords as possible.
Another technique (still sometimes in use today) is based on creating cross-links between many sites with the link text containing target keywords. Millions of fake pages were created just for the purpose of building such cross-links. Today, this is not an effective technique in most cases. Top engines such as Google and Bing still consider cross-links during ranking, but they are not as important as other aspects.
Using Blackhat SEO for Malicious Purposes
To attack visitors, cybercriminals use different methods. They create malicious code and try to exploit vulnerabilities in web browsers. They attempt clickjacking or social engineering, for example luring the user into downloading and executing malware such as a fake antivirus (often called scareware). They pretend to sell a product that does not exist to steal personal data and credit card numbers. There were even cases when large corporations were targeted by such scams: corporate users were tricked into providing personal information, which was then used in social engineering attacks against the corporation.
It is not easy to quickly attain a high ranking for a malicious website via blackhat SEO. That is why some cybercriminals try to use existing high-ranking websites to spread malicious content. To do this, they exploit typical web vulnerabilities, for example, Cross-site Scripting (XSS).
For example, if a new vulnerability is discovered in a common WordPress plugin, the criminal searches for popular terms and checks if the highest-ranking websites are based on WordPress and vulnerable. If so, they introduce malicious code, often reaching millions of users. This is actually one of the most common ways that criminals exploit known vulnerabilities.
Defending Against SEO Poisoning Attacks
To defend your business against all types of SEO poisoning attacks, you should adopt the following best practices:
- First of all, educate your users not to visit unknown websites and always pay attention to the URL in search engine results.
- Maintain end-user security solutions, such as good antivirus software or filter out potentially malicious pages centrally, forcing the users to use a local web proxy.
- Keep your websites and web applications secure and free of any web vulnerabilities. For this purpose, use a web vulnerability scanner regularly and preferably at the earliest possible stage of website development.
- If you notice that a malicious site is attempting to undermine your SEO position, immediately report it to the search engine to have the result removed.