Cybercriminals‌ ‌Optimize‌ ‌Phishing‌ ‌Sites‌ ‌to‌ ‌Increase‌ ‌Reach‌ ‌

Cyber Security

Written by:

Reading Time: 3 minutes

In a previous age, the most heated battle for visibility might have included businesses competing for ad space during a popular television show or a heavily trafficked billboard. Today, perhaps the hottest competition for eyeballs comes in the form of search engine optimization. Commonly abbreviated to SEO, search engine optimization is the process by which websites and webpages improve their visibility when it comes to relevant search engine results on the likes of Google and Bing. The higher a particular webpage is listed, the more attention, clicks, and, potentially, customers it is likely to attract.

But this competition isn’t just among legitimate businesses or website owners. Would-be cyber attackers use some of these same tricks or techniques to try and increase the reach of phishing websites. These sites deploy malware including financial spyware, extortion-based ransomware, and various exploit tools. Because no-one would voluntarily click on a webpage serving up these offerings, attackers use something dubbed “search engine deoptimization” to try and increase the likelihood of gaining clicks.

It’s a growing threat, and one that any modern cyber security platform must be able to grapple with. Fortunately, the tools are there to protect you if you know where to look.

Poisoning the SEO well

In early 2021 reports emerged about a new malware payload delivery method that uses the Gootkit Remote Access Trojan (RAT) infection framework. For more than half a decade, cyber attackers have leveraged the Gootkit malware family for various applications involving the theft of banking credential data. 

The “search engine deoptimization” approach involves a malicious use of SEO techniques to prominently feature malware-infected pages in Google search results. These malicious search results look legitimate to both users and to Google itself. It works by using a network of servers that host hacked websites. When a user poses a question on Google, the search rankings include these hacked webpages, which provide a message board and fake forum posts with a “direct download link” to a .js download file boasting a name matching the original search query. This is achieved by using the so-called Gootloader Javascript-based infection framework to generate pages based on verbatim search queries. 

For example, a person Googling “Do I need to have a license to watch television?” could uncover a link to a genuine website that has been compromised. On that website is a message board on which a user has apparently asked that identical question with exactly the same wording. This allows it to score highly on SEO for a particular search, and provides a means by which individual users can be accurately targeted in social engineering attacks. 

Users unaware of the dangers might click the link suggested in the forum, and download the malware. This approach is particularly fiendish (read: clever in all the worst ways) because not only does it target specific searchers, but it also bypasses the traditional tools employed for endpoint protection since the malware does not run directly on the page. The malware can be used to install payloads such as ransomware on the computers belonging to downloaders. Variations of this attack, localized for different languages, have been found in English, German, French, and Korean.

The importance of proper protection

Protecting against these kinds of attacks is crucial for companies. It is important that businesses and other organizations adopt a unified approach when it comes to security. Luckily, the tools exist to help you protect yourself. Client-side protection, for example, can help reduce the risk of poisoned JavaScript code negatively impacting your business. If third-party code is detected as embedded on any of your websites, these tools can notify you so that they can be safely removed. 

Meanwhile, bot management, Web Application Firewalls (WAFs), API management and other such measures can protect websites, apps, and APIs from being targeted by automated attacks — without harming traffic that may be critical to your business.

Away from application security, data security systems can play a crucial part in not only protecting sensitive data, but also finding and responding to threats before they cause a potential security incident. This is valuable for all sorts of reasons, ranging from safeguarding reputation and being able to effectively operate as a business to ensuring compliance and possible fines.

The threat is only going to get worse

Cyber attacks are becoming increasingly destructive. The threat of data exfiltration, for example, is only getting more pressing as more and more of our daily lives take place online, involving vital tech infrastructure. Cyber attackers are continuously on the lookout for malicious new ways to game systems for their benefit — whether that’s tried-and-tested methods like phishing emails or attempts to poison SEO rankings and optimization. Ensuring that you do your utmost to mitigate these threats is essential in the modern cybersecurity landscape. 

It’s not always easy, and requires you to stay aware about the latest threats. But help is at hand for those who need it — and, increasingly, that’s a whole lot of people.