Search engine optimization poisoning (SEO poisoning) is a term used to describe two types of activities:

  • Illegitimate techniques used to achieve high search engine ranking, usually (but not only) to attack visitors
  • Exploiting vulnerabilities on existing high-ranking web pages and using them to spread malware

SEO poisoning may be used by legitimate websites to unfairly increase their ranking as well as by malicious sites (or legitimate sites that were compromised) to target visitors. If the intent is malicious, the assailant aims to install malware such as trojans, attack the user’s machine, or trick the user into providing sensitive data.

Malicious SEO poisoning is about reaching a lot of people quickly and easily. Therefore, such attacks often follow trending search terms. For example, there were SEO poisoning attacks during natural disasters, when attackers attempted to have victims send monetary aid to fake accounts. There were also such attacks during major political campaigns and other major world events.

Using Blackhat SEO

The term blackhat SEO relates to all the techniques that are used to trick the search engine to achieve high search ranking. Search engines change their ranking algorithms constantly and different search engines use different ranking methods. Therefore, blackhat SEO techniques must keep evolving as well.

In the past, the most prominent technique was called keyword stuffing. Search engines ranked websites just on the basis of keywords, which could be placed anywhere: both in meta tags and in the content of the website. The content itself did not even have to make sense. Therefore, blackhat SEO often meant, for example, creating text fragments that were invisible to the visitor (white text, white background, small font) with as many keywords as possible.

Another technique (still sometimes in use today) is based on creating cross-links between many sites with the link text containing target keywords. Millions of fake pages were created just for the purpose of building such cross-links. Today, this is not an effective technique in most cases. Top engines such as Google and Bing still consider cross-links during ranking, but they are not as important as other aspects.

Using Blackhat SEO for Malicious Purposes

One of the most common tricks used as part of blackhat SEO is creating scripts that recognize if the website is visited by a search engine crawler or by a real visitor (usually based on the user-agent). If the first page is visited by a crawler, high-ranking content is served.. If the first page is visited by a user, malicious content is served instead, usually using JavaScript and/or redirections.

To attack visitors, cybercriminals use different methods. They create malicious code and try to exploit vulnerabilities in web browsers. They attempt clickjacking or social engineering, for example luring the user into downloading and executing malware such as a fake antivirus (often called scareware). They pretend to sell a product that does not exist to steal personal data and credit card numbers. There were even cases when large corporations were targeted by such scams: corporate users were tricked into providing personal information, which was then used in social engineering attacks against the corporation.

Exploiting Vulnerabilities

It is not easy to quickly attain a high ranking for a malicious website via blackhat SEO. That is why some cybercriminals try to use existing high-ranking websites to spread malicious content. To do this, they exploit typical web vulnerabilities, for example, Cross-site Scripting (XSS).

If a high-ranking web page has, for example, a stored XSS vulnerability, the attacker may introduce JavaScript code that is executed by every visitor. This code may either directly attempt to spread malware or redirect the user to a different website that is created for malicious purposes (the same ones as in the case of blackhat SEO).

For example, if a new vulnerability is discovered in a common WordPress plugin, the criminal searches for popular terms and checks if the highest-ranking websites are based on WordPress and vulnerable. If so, they introduce malicious code, often reaching millions of users. This is actually one of the most common ways that criminals exploit known vulnerabilities.

Defending Against SEO Poisoning Attacks

To defend your business against all types of SEO poisoning attacks, you should adopt the following best practices:

  • First of all, educate your users not to visit unknown websites and always pay attention to the URL in search engine results.
  • Maintain end-user security solutions, such as good antivirus software or filter out potentially malicious pages centrally, forcing the users to use a local web proxy.
  • Keep your websites and web applications secure and free of any web vulnerabilities. For this purpose, use a web vulnerability scanner regularly and preferably at the earliest possible stage of website development.
  • If you notice that a malicious site is attempting to undermine your SEO position, immediately report it to the search engine to have the result removed.
Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.