Search Engine Optimization (SEO) refers to practices used to make a webpage rank more highly in a search engine. Each major search engine — Google, Bing, etc. — has an algorithm to determine which sites make it to the top of a user’s search results and which are condemned to pages 2 and lower.
SEO poisoning is a set of black-hat SEO techniques designed to take advantage of these search engine algorithms to promote malicious web pages. If an attacker can design their web page so that it ranks highly on Google or Bing, then users are more likely to trust and visit the website. This allows the attacker to push malware or other malicious content on these sites.
SEO algorithms rank web pages based on various factors, such as the use of keywords and backlinks. To target specific industries or users, these malicious sites may target keywords that their targets are likely to search. Additionally, attackers may use techniques such as typosquatting to appear similar to other, trusted sites that the targets are likely to visit. Finally, attackers may use black-hat SEO tactics, which are unethical methods of raising a page’s range within a search engine’s results.
Once an attacker has tricked a user into visiting the website, their goal is to get the user to download and install a file. Attackers use various deceptive tactics, disguising their malware as fake office software, games, and other useful programs. These trojans will have fake icons and may include a legitimate copy of the software to make the deception more convincing.
Many different cyber threat actors and tools perform SEO poisoning attacks. Some examples include:
SEO poisoning attacks use various methods to trick users into visiting their sites. Some ways to identify these attacks include:
In addition to staying on the lookout for SEO poisoning, organizations can also take steps to protect themselves from these attacks. Some best practices include:
SEO poisoning attacks are growing more prevalent and pose a serious threat to an organization’s cybersecurity. Protecting against these and similar attacks designed to deliver malware is essential to limiting corporate cyber risk.
Check Point Threat Prevention products dynamically scan the content of the URLs and websites users interact with. It also has the ability to block zero-day attacks in real-time by leveraging ThreatCloud AI, advanced artificial intelligence (AI), natural language processing (NLP), big data, and graph algorithms.
Additionally, customers using Quantum Threat Prevention, Harmony Browse, Harmony Endpoint, and Harmony Mobile are protected and are covered for various attack use cases such as phishing, command & control traffic, and compromised websites, including those involved in SEO poisoning attacks. For Check Point firewall customers, enable the SNBT (SandBlast license) and activate the Anti-Bot and Zero-Phishing blades. URL Filtering (URLF) is automatically included with the SandBlast license, and helps to protect against this evolving cyber threat.
In addition to real-time threat prevention, ThreatCloud AI also performs preemptive prevention where it scans new domains immediately upon creation. This enables Check Point solutions to detect and block new SEO poisoning campaigns and other attacks before they can even be launched.
Check Point Harmony solutions offer strong protection against SEO poisoning and other threats to endpoint and web security. To learn more about Check Point’s comprehensive portfolio cybersecurity products, sign up for a free demo today.