How does an attacker target an organization’s employees, clients, and potential customers without ever coming anywhere near their networks? Simple: Hit them in the search box.
The method can often lead unsuspecting users to a fake landing page or a bogus login portal. Research from security firm Tempest found a “significant increase” in the dissemination of stealers, loaders, and trojans via Google Ads and other search engine optimization (SEO) poisoning techniques between November 2022 and January 2023.
SEO, explained. SEO poisoning is an attack method in which attackers attempt to game search-engine results so that specific queries pull up links to malware-infested websites rather than the legitimate originals. Malvertising is a favored tactic here, as a few bucks allows threat actors to jump to the top of results on sites like Google or Bing. SEO poisoning is closely related to watering hole attacks, where an attacker compromises a preexisting legitimate website—often one with high search rankings.
While either method can be used to target web users at random, threat actors often abuse the power of search engines to target specific communities, industries, or organizations.
For example, security firm SentinelOne reported on a recent attack that targeted users looking for the Blender 3D rendering software and redirected them to sites that resembled the official Blender site in most respects other than including malicious download links. In 2021, Menlo Security discovered two separate campaigns to distribute the REvil ransomware and the SolarWinds backdoor, the latter appearing on searches like “industrial hygiene walk-through survey checklist.” A 2023 campaign targeted Australian healthcare companies.
It’s “less common,” SentinelLabs senior threat researcher Tom Hegel told IT Brew, but the security firm has seen attackers “doing the same technique to steal login credentials for things like cloud services like AWS.”
Hegel says that since the start of 2023, SentinelLabs has noticed a dramatic spike in SEO poisoning campaigns, to the point where Google searches for certain software invariably had at least one poisoned link during most of January. He believes that “the toolkit that the search engines provide to organizations to be able to get their ads out is definitely making it easier for attackers to abuse it.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
In search of a solution. Because SEO poisoning is most often non-specific to any one organization—and even when it is, the target is a search engine rather than the organization itself—a collective action problem has emerged, according to Menlo Security director of security research Vinay Pidathala.
“The SEO poisoning angle is a very difficult angle to detect and monitor from a brand reputation standpoint, because it requires some tie up with the vendors that are actually serving these results,” Pidathala told IT Brew. “There needs to be that proactive intercompany sharing of intelligence, if you may, that that needs to happen. And I don’t know how much of that is currently happening.”
Pidathala added, “It’s not just Google or any of these search giants. [It’s] our responsibility as security vendors. All of us, the whole security ecosystem, need to be responsible.”
SEO poisoning can easily prove a challenge for organizations to handle because it’s easy to scale, difficult to detect, and hard to remove, Hegel told IT Brew. Targets of SEO poisoning are also often small to mid-size organizations with limited security resources.
“There’s a handful of brand monitoring tools out there...Outside of that, you’re kind of out of luck, because you need the process of monitoring what’s being pushed with your brand name,” Hegel said. “And without any sort of third party tool, it becomes pretty difficult.”