SEO : Search Engine Optimization

SEO : Search Engine Optimization

SEO poisoning, also known as search poisoning, is a type of malicious advertising (malvertising) in which cybercriminals create malicious websites and then use search engine optimization (SEO) techniques to cause the sites' links to show up prominently in search results, often as ads at the top.

How SEO Poisoning Works

SEO algorithms rank web pages based on various factors, such as the use of keywords and backlinks. To target specific industries or users, these malicious sites may target keywords that their targets are likely to search. Additionally, attackers may use techniques such as typosquatting to appear similar to other, trusted sites that the targets are likely to visit. Finally, attackers may use black-hat SEO tactics, which are unethical methods of raising a page’s range within a search engine’s results.

Once an attacker has tricked a user into visiting the website, their goal is to get the user to download and install a file. Attackers use various deceptive tactics, disguising their malware as fake office software, games, and other useful programs. These trojans will have fake icons and may include a legitimate copy of the software to make the deception more convincing.

Examples of SEO Poisoning

Many different cyber threat actors and tools perform SEO poisoning attacks. Some examples include:

  • Gootloader: Uses SEO poisoning and leverages visible overlays to trick targets.

  • BATLoader: SEO poisoning campaigns may use BATLoader to send targets to fake message boards.

  • Solarmarker: Attempts to trick remote workers into downloading fake PDF documents.

How to Detect SEO Poisoning

SEO poisoning attacks use various methods to trick users into visiting their sites. Some ways to identify these attacks include:

  • Monitor for typosquatted domains designed to look like legitimate sites.

  • Leverage threat intelligence to identify known-bad URLs associated with SEO poisoning attacks.

  • Use endpoint detection and response (EDR) solutions to identify malware delivered via SEO poisoning attacks.

  • Monitor for attempts to execute applications from within a ZIP archive.

How to Prevent SEO Poisoning

In addition to staying on the lookout for SEO poisoning, organizations can also take steps to protect themselves from these attacks. Some best practices include:

  • Employee Training: Educate employees about SEO poisoning attacks and the risks of downloading applications from the Internet. Train employees to identify typosquatted domains.

  • Web Security: Use web security tools to identify sites serving malicious content and to protect users against redirection, overlays, and other tactics used to trick them into accessing malicious content.

  • Endpoint Security: Use endpoint security solutions such as an endpoint protection platform (EPP) to identify and block attempted infections by malware delivered via SEO poisoning attacks.

  • Patch Management: Ensure that corporate systems and browsers are kept up-to-date to prevent malicious sites from exploiting unpatched vulnerabilities.

SEO Poisoning Protection with Check Point

SEO poisoning attacks are growing more prevalent and pose a serious threat to an organization’s cybersecurity. Protecting against these and similar attacks designed to deliver malware is essential to limiting corporate cyber risk.

Check Point Threat Prevention products dynamically scan the content of the URLs and websites users interact with. It also has the ability to block zero-day attacks in real-time by leveraging ThreatCloud AI, advanced artificial intelligence (AI), natural language processing (NLP), big data, and graph algorithms.

Additionally, customers using Quantum Threat Prevention, Harmony Browse, Harmony Endpoint, and Harmony Mobile are protected and are covered for various attack use cases such as phishing, command & control traffic, and compromised websites, including those involved in SEO poisoning attacks. For Check Point firewall customers, enable the SNBT (SandBlast license) and activate the Anti-Bot and Zero-Phishing blades. URL Filtering (URLF) is automatically included with the SandBlast license, and helps to protect against this evolving cyber threat.

In addition to real-time threat prevention, ThreatCloud AI also performs preemptive prevention where it scans new domains immediately upon creation. This enables Check Point solutions to detect and block new SEO poisoning campaigns and other attacks before they can even be launched.

Check Point Harmony solutions offer strong protection against SEO poisoning and other threats to endpoint and web security. To learn more about Check Point’s comprehensive portfolio cybersecurity products, sign up for a free demo today.