Search engine optimization (SEO) is the process of improving the quality and quantity of website traffic to a website or a web page from search engines. In SEO poisoning, threat actors strategically create malicious websites and use techniques such as keyword stuffing to insert irrelevant keywords into a webpage’s text, meta tags, and other website areas. This technique deceives search engine algorithms to increase the website’s visibility and rankings, causing these websites to display at the top of search engine result pages (SERPs). SERPs also display advertisements or sponsored links, which may be attributed to malvertising campaigns. The positioning or ranking of advertisements on SERPs may be
determined by the keyword bid amount, the competition’s bid amount, the relevance, and the performance. Although these malicious links or ads are against policy, threat actors still try to publish them and fall under the radar of proactive monitoring. Search engines may be unable to remove or shut them down immediately due to the sheer numbers, as testing each link or ad is time-consuming and costly. Unsuspecting users who click on these “poisoned” search results without scrutiny could navigate to malicious sites, potentially leading to financial losses, credential theft, and malware infections.

Threat actors continue to impersonate legitimate brands and advertisers on SERPs to deceive users into downloading spoofed malicious versions of popular free software, such as FreeCAD, Rainmeter, CorelDRAW, GitHub Desktop, RoboForm, and TeamViewer. Another campaign distributing PikaBot malware is disguised as AnyDesk software , bypassing the search engine’s security checks. The malicious ad redirects unsuspecting victims to fraudulent website pointing to a malicious MSI installer hosted in Dropbox. Additionally, researchers discovered a malvertising campaign, dubbed UNC2975, in which poisoned search results and social media posts directed potential victims to fraudulent unclaimed funds websites. The analysis revealed multiple domains and IP addresses associated with the distributed DANABOT and DARKGATE backdoor malware. Furthermore, when searching for an advanced IP scanner application, malicious ads directed users to a fraudulent website containing a malicious installer for WorkersDevBackdoor malware. Researchers reviewed many links in SERPs of popular search engines, such as Google, Bing, and DuckDuckGo, in the past year. Their findings revealed that higher-ranked pages, on average, were more optimized, monetized with affiliate marketing, and exhibited signs of poor text quality. All search engines are advised to be cautious when promoting sites, especially those that produce high volumes of content and “thin affiliates” with multiple low-quality content. The quality of search results is expected to worsen with the popularity and increase of generative artificial intelligence (AI).

Recommendation

The NJCCIC recommends that users exercise caution and carefully examine search engine results and advertisements before clicking links, ensuring the websites they visit are known and legitimate. Additionally, refrain from downloading software or providing sensitive information via unofficial websites. Users may research a website’s registration information to determine the website’s age; very newly registered domains are often used for fraudulent activity. We advise users to exercise caution with unsolicited communications, keep systems and software up to date, obtain software from legitimate developers/companies after analyzing customer reviews, and monitor and report suspicious account activity to the respective platform or entity. If suspicious inquiries are made by individuals claiming to represent a trustworthy organization, contact the organization using the official phone number on its website before taking action or divulging information.

Reporting

The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report.

Please do not hesitate to contact us here at Cyber Command with any questions.