Cybercriminals use many different tactics to gain a foothold in business networks and while many threat actors specialize in exploiting unpatched vulnerabilities, cyberattacks that exploit human weaknesses are far more common. The best known of these tactics is phishing, where contact is made with employees via email, SMS messages, or instant messaging services. The messages typically include a lure to convince the employee to take a certain action – opening a malicious attachment, clicking an embedded hyperlink, or calling a phone number. These attacks are conducted to steal credentials, install malware, or otherwise provide the threat actor with access to the user’s device.
Phishing is extensively covered in security awareness training, and rightly so, as it is one of the most common methods of attack; however, it is important to ensure that employees are trained on other methods of attack, including an increasingly used tactic called SEO poisoning.
What is SEO Poisoning?
SEO poisoning is a type of web-based attack that uses search engine optimization techniques to increase the prominence of malicious web pages in the search engine listings. Tactics commonly used to get web pages to appear high up in the search engine listings include keyword stuffing – cramming in lots of keywords into the page to trick search engines into thinking the content is particularly relevant to the targeted search term; cloaking, where search engine algorithms are presented with different content to normal users; the generation of fake clicks using bots, and generating masses of backlinks to the website via private link networks. These black hat SEO tactics provide a fast return and get web pages to appear very high up in the search engine listings for specific search terms. The higher up in the listings a website ranks, the more visitors the site is likely to receive. An added advantage of a high place is Internet users tend to trust those sites more.
If a malicious actor can get a web page appearing in the top five spots for a high-traffic search term they are likely to be able to drive a considerable amount of traffic to that web page; however, it can be difficult to get web pages ranking for high-volume search terms as there is likely to be a lot of competition. An alternative is to target relatively low-volume search terms, such as terms that are likely to be used by employees such as terms related to business-related forms and contract templates. These terms not only ensure that the right people visit the malicious page, but those individuals will be looking to download a file, which makes it far easier to install malware. While free downloads are effective, webpages offering fake software and business apps may be created that require a small payment. This tactic can be used to steal credit card information.
The websites and web pages used for these scams can be easily identified in many cases if Internet users are vigilant, as the domains used are often unrelated to the content of the page. To improve the effectiveness of this tactic, domains are often used that match the malicious content. For example, if the campaign was targeting the communications platform Zoom, a domain may be registered such as zoom-download.com, or a subdomain may be used, such as zoomdownload.business-software-downloads.com.
Typosquatting is also commonly used, where misspellings of brand names are used for domain names, or letters are substituted with special characters or numbers. At first glance, the domains appear legitimate, and this tactic can catch out careless typists.
How to Protect Against SEO Poisoning
There are two main ways that businesses can improve their defenses against web-based attacks such as SEO poisoning – end user training and web filtering. Security awareness training should be provided regularly to the workforce, and modules should cover all types of attacks that target employees, including SEO poisoning. Making employees are of these tactics and teaching them about the red flags to look for will help them to identify and avoid these campaigns. If you have yet to start training your workforce, check out SafeTitan from TitanHQ.
Web filtering is a technical measure for filtering out malicious websites. Web filters ensure that even if a link is clicked, a connection to the malicious website will not be established. Web filters, such as WebTitan from TitanHQ, are constantly updated with the latest threat intelligence. As soon as a new malicious website or webpage is identified, the data is sent to the web filter and any attempted connection will be blocked. WebTitan protects against SEO poisoning, malvertising, and malicious software downloads from the Internet and can be used to block access to software download sites, torrents and warez sites, and other sites that are risky or serve no business purpose.
Combine security awareness training with a web filter and you will be well protected against SEO poisoning and other web-based attacks.