Search engine optimization poisoning (ITSAP.00.013)

Search engines are the go-to tool for searching the Internet. Users often click on the first link in their results and trust the site is legitimate. Threat actors are aware of this user behaviour and try to exploit it.

While the links at the top of your search results look legitimate, they can be spam or link to malicious sites. Threat actors can promote these malicious sites in your search engine using search engine optimization (SEO) poisoning. This publication will explain what SEO is and how you can protect yourself and your organization from potential compromises.

On this page

• Search engine optimization
• Search engine optimization poisoning as an attack vector
• What to look out for
• How to protect yourself
• How to protect your website
• Learn more

Search engine optimization

SEO is a series of techniques that marketers and website owners use to increase site traffic and the visibility of their product or service. SEO attempts to make a website seem more relevant to a search query so it will be ranked as a top result by search engines. SEO allows search engines to categorize your content to provide more tailored search results.

The following SEO techniques can be used to influence search results in various ways.

Meta tags

Meta tags provide data on a webpage's content and structure. These tags are helpful to both users and search engines. There are many different types of meta tags, such as those that indicate important page content and descriptive text for images.

Backlinks

Backlinks are links from other sites that direct users to your site. These can act as an endorsement of credibility. High-quality backlinks, from reputable sources, help rank your website higher in search engine results. However, beware of low quality or toxic backlinks from disreputable sources, as they can:

• harm your site's reputation or ranking
• lower your ranking in search engine results
• associate your website with low-quality or unsolicited commercial (spam) content

Keywords and keyphrases

These are popular search terms used in search engines. Associating commonly used and relevant keywords on your website will help users find your content.

Descriptive URLs

Search engines use your URLs to crawl and index sites. By ensuring your URLs are short, descriptive and on-topic, you will help search engines better understand your content.

Semantic HTML

Semantic HTML is a markup language that consists of tags that add meaning to your website's content. It also helps a search engine interpret your site's content. Your HTML is the structure of your website. By giving sections meaning, you allow the website to be categorized by search engines.

Breadcrumbs

Breadcrumbs present a text path that shows the user where they are on the site. These breadcrumbs allow search engines to easily understand how your site is organized.

Search engine optimization poisoning as an attack vector

An attack vector refers to a method that a threat actor uses to gain access to a system, network or application. SEO poisoning is an effective attack vector for threat actors. They can manipulate search results to target anyone using a search engine. SEO poisoning is effective due to the widespread trust users have in search engines. Many users have widespread trust in search engines and assume they display the most relevant, vetted and legitimate links first.

Threat actors take advantage of these user assumptions and alter the weight or bias of search results seen by users. Threat actors can use SEO poisoning to manipulate search results and rank their malicious sites higher than legitimate sites. For example, they may use popular and trending search terms to raise their ranking, misleading users into clicking on harmful links.

Threat actors can also exploit vulnerabilities in already established websites to hijack and spread their malicious content. This can occur whether it's through malicious downloads or by linking to other spam websites. This technique can also have the following negative impacts on legitimate websites that are being spoofed:

• Lower search engine ranking
• Reduced site traffic
• Damage to brand integrity and reputation

Any links or files that you click on or download from malicious sites can jeopardize your computer. Accessing a webpage without the appropriate firewalls and plug-ins could put your system at risk, even if you just click on a link.

These malicious codes and attacks can:

• distribute malware or ransomware
• steal personal information with the intent to sell it or use it maliciously
• urge you to call a false helpline number to allow access to your device or to transfer funds

They can pose as any type of website, whether it be a news site, streaming site, retail store or technical help desk.

Along with the above-mentioned SEO techniques, threat actors can also use the following actions to assist in SEO poisoning.

Script spoofing

Threat actors use script spoofing to trick users by impersonating legitimate websites or email addresses. They use similar URLs that contain incorrect characters or domain names.

Keyword stuffing

Keyword stuffing occurs when threat actors fill webpages with keywords to increase their ranking. The keywords are repeated often and make the content of the site illogical. You may see many keywords combined with irrelevant words that will not make much sense when read. These are meant to be read by machines that recognize the keywords.

Typo squatting

Threat actors register domains that are similar to popular websites but with intentional typos or misspellings. They may design the website to look like the intended site the user wanted to visit. This may further trick the user into spending more time on the malicious site and clicking on links.

Link farms

Link farms are groups of websites that all link to one another. The more links or backlinks you have from other sites, the higher your search engine rating may be. Spam link farms manipulate the search algorithms by increasing their backlinks to automated link farms to increase their rating.

What to look out for

When searching the web or inputting a query into a search engine, always be aware that any link may contain malicious content. Use the following clues to avoid being compromised:

• Check URLs for misspelled words
• Confirm the link's content is related to the search query
• Be aware of unprofessional designs or cluttered webpages (if already on the website)
• Look out for fonts that seem out of place
• Use caution if links look too good to be true or are unrelated to the webpage
• Check to see if link extensions match the description
• Look for the padlock HTTPS symbol in the address bar, but always proceed with caution as some malicious sites may still show this symbol

How to protect yourself

Use the following tips and techniques to proactively protect your computer from malicious websites.

• Ensure the default script editor is set to block all scripts by default
  • Doing so helps prevent automatic execution of potentially malicious scripts
  • This can help keep your personal data private and your system safe from malware
• Install firewalls on your device which can warn you and block malicious sites
• Keep browsers and anti-virus software up to date
• Avoid clicking on suspicious links
• Avoid providing personal information unless you're certain the site is legitimate and secure
• Always double-check the URL before clicking
• Instead of searching and clicking on a link, type the known address into the address bar and confirm you have not made any typos before hitting enter
• Allow for file extensions to be shown and verify that the type of file being downloaded matches its advertised intent

How to protect your website

If you are a website owner or administrator, consider the following actions to secure your online presence. Many of these can be done by an IT professional.

• Employ secure coding practices
  • Practices such as input validation and proper error handling can help prevent various attacks
  • For an in-depth look, see Guidelines on minimum standards for developers verification of software (NISTIR 8397)
• Update information on your site regularly
• Apply web application firewalls
• Use reputable content management systems
• Perform regular security audits and review files, settings, and website codes
• Employ strong authentication methods for website administrators, such as multi-factor authentication
• Be aware of unexpected spikes and drops in website traffic, which may indicate that your site has been hacked

Learn more

• Protect your organization from malware (ITSAP.00.057)
• Ransomware: How to prevent and recover (ITSAP.00.099)
• Don't take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)
• Security consideration when developing and managing your website (ITSAP.60.005)
• How to shop online safely (ITSAP.00.071)
• Website defacement (ITSAP.00.060)
• Domain name system (DNS) tampering (ITSAP.40.021)
• Script spoofing: What it is and how you can protect yourself