Search engine optimization (SEO) is the process of improving the quality and quantity of website traffic to a website or a web page from search engines. SEO poisoning is a tactic in which threat actors strategically create malicious websites and use techniques such as keyword stuffing to insert irrelevant keywords into a webpage’s text, meta tags, and other areas of the website. This technique deceives search engine algorithms to increase the website’s visibility and rankings, causing these websites to display at the top of search engine result pages (SERPs). Unsuspecting users who click on these “poisoned” search results without scrutiny could navigate to these malicious sites, potentially leading to financial losses, credential theft, and malware infections.

Threat actors employ SEO poisoning and impersonation to display fraudulent customer service or technical support numbers for reputable companies and retail services with the intent to steal funds and sensitive information, including account login credentials. Cybercriminals often attempt to exploit trending topics, such as Amazon Prime Day, for financial gain. For example, when a user conducted a search to cancel Amazon Prime Membership, the Google SERP displayed an illegitimate Amazon customer service phone number that, when called, directed the user to the threat actor rather than the correct Amazon customer service department. The threat actor stated the membership could not be canceled online because the user supposedly had several pending gift card and Bitcoin
purchases. Although the user stated they did not authorize these pending purchases, the threat actor attempted to obtain new financial information. Threat actors also spoof utility websites in SERPs to convince potential victims to contact a fraudulent customer service number. If called, the threat actors attempt to obtain sensitive information and login credentials that can be leveraged to compromise other accounts belonging to the victim. They also impersonate reputable clothing, footwear, and apparel brands—such as Nike, Puma, Adidas, New Balance, and more—to scam unsuspecting customers into purchasing items on fraudulent websites, potentially exposing financial and personal information.

Additionally, threat actors impersonate legitimate brands and advertisers on SERPs and malicious websites via malvertising, or malicious advertising. For example, a malvertising campaign via brand impersonation was discovered when performing a search for USPS tracking. The legitimate-looking ad contained the official USPS website and branding and targeted both mobile and desktop users; however, the advertiser’s identity and location did not match. If clicked, victims are redirected to a phishing website and prompted to enter their tracking number, resulting in an error message. The target is then directed to enter their full address and credit card information to pay a small fee in order to receive the package. The website also requests the financial institution’s account login credentials to confirm the credit card, allegedly to protect against fraud.

Malvertising campaigns may also be used to distribute malware via spoofed webpages of legitimate organizations. For example, a user searching for WinSCP (a popular open-source Windows application for file transfer) may inadvertently click on a malvertisement, which leads to a malicious website containing a “Download” button. If clicked, an ISO file downloads to their system and the malicious payload is dropped. This activity was identified as a BlackCat (aka ALPHV) infection, and the threat actors utilized SpyBoy terminator in an attempt to tamper with security protection agents. Additionally, researchers discovered a new Big Head ransomware variant distributed through malvertising of fraudulent Windows updates and Microsoft Word installers.

The NJCCIC recommends users exercise caution and carefully examine search results prior to clicking links, ensuring the websites they visit are known and legitimate. Additionally, refrain from clicking ads, downloading programs, or providing sensitive information via unofficial websites. Users may research a website’s registration information to determine the age of the website; very newly registered domains are often used for fraudulent activity. We advise users to exercise caution with unsolicited communications, keep systems and software up to date, obtain software from legitimate developers/companies after analyzing customer reviews, and monitor and report suspicious account activity. If suspicious inquiries are made by individuals claiming to represent a trustworthy organization, contact the organization using the official phone number found on its website before taking action or divulging information.