Sage Advice - Cybersecurity Blog

Cyberattacks 101: SEO Poisoning

SEO-PoisoningSearch Engine Optimization (SEO) is a common term used by digital marketers, and is a technique used by many organizations to generate clicks on digital content, drive website traffic, and more. While SEO efforts and techniques vary – and can be paid or unpaid – the goal for marketers remains the same: to expand visibility by targeting online users through search engines.

Just as legitimate marketers can use SEO techniques, cybercriminals can, too. Cybercriminals will stop at nothing to get what they want, and there is an emerging tactic called SEO poisoning that organizations – and their marketing departments – must be aware of moving forward. Let’s explore the basics.

How can marketers achieve a good SEO ranking?

Before we discuss how cybercriminals use SEO to gain access to valuable data, we need to understand more about how SEO works. When a marketer optimizes their content or website for SEO purposes, they’re essentially feeding search engines – like Google and Bing – crawlable information through keywords on the organization’s website pages. Search engines use this information to give the organization a ranking and then displays the websites in order of that ranking. If an organization can dial in their SEO accurately, they are more likely be ranked near the top of the search results.

For example, if you work for a municipality and are looking for new software solutions and type in “Tyler Technologies” in Google, it will come up first on the search results list if the SEO is done right. Other competitors will hopefully be further down the list.


A good ranking means that the organization has page authority. Factors include other sources that are linking to that specific page, there are a lot of total visits to the page, and the organization’s chosen keywords match what users are searching for.

What is SEO Poisoning?

Just as these SEO techniques can work favorably for an organization, there are also ways cybercriminals can use the same techniques to their advantage. SEO poisonings, sometimes referred to as black hat SEO, are illegitimate and illegal techniques cybercriminals use to increase visibility of a malicious site or to mislead victims about the content of a legitimate webpage. Simply put, the hacker will get victims to click on something that they shouldn’t be by using SEO techniques.

A current, real-world example is the ongoing SolarMaker campaign. This malware group is currently using SEO poisoning to lure victims to a malicious website. Then they install a remote access Trojan (RAT) – malware that allows the attacker to access the system from a remote location – so they can steal data or flat out take over the whole machine. The group is currently out there trying to pull in clicks to the malicious site so they can fool unsuspecting people.

What are these SEO poisoning groups trying to do?

We can break this down into two categories:

  1. Hackers are trying to trick users into visiting the malicious site. Criminals want to drive traffic to their malicious sites for many nefarious reasons, including stealing personal information, spreading disinformation, or installing malware. They are often used as a delivery platform for drive-by downloads.
  2. They are trying to damage legitimate website reputations. SEO poisoning groups will do this to increase the traffic to their malicious site. Hackers know that if they’re trying to impersonate a legitimate source, it will be hard to do if that legitimate source is still the top hit on Google. Therefore, it’s easier for the hacker to get rid of their competition by reducing trust in the other business. They do this by convincing the victims they were hacked by visiting their rival’s (i.e. the legitimate source) website.

What are some common SEO poisoning tactics?

Let’s look at how hackers can pull off this type of attack. The most intuitive of the different poisoning techniques is called keyword packing. Hackers will fill up their malicious site with hundreds of keywords that can be picked up by search engines to push the site to the top of the list. They will use any words they can – to target anyone they can – to make their site look like it has information about many different topics. By having these keywords bundled together, it can look like a well-informed site to the search engine bots that crawl websites to determine the SEO ranking.

Another tactic is to use fake traffic, where the hacker makes one website look more popular than it really is. Since search engines prioritize websites with more views over those that have fewer views, attackers will try to generate fake traffic to their malicious website so they can eventually rank higher in the search results. If a malicious website suddenly gets thousands of views, it will bump them up in the ranking, giving them a higher chance of compromising unsuspecting victims.

Finally, SEO poisoning groups will try to duplicate a website so they can mimic it and lure the victim to click that one instead of the real one. This is malicious because search engines typically only show one organic version one paid version of a website in their results. Hackers will try to mimic websites with the goal of knocking the real ones further down on the Google search results list, thus tricking victims to click on the fake one instead.

How can you defend against an SEO poisoning attack?

Like a lot of other defenses, do not visit unfamiliar websites. This is particularly important to remember. Being the top hit on a search engine does not always mean that a website is safe. You can't just trust that the first page of Google is going to give you good, safe information. Use your instincts and always hover over the link to see the whole URL before clicking on it.

If you do find yourself unexpectedly redirected or you click on a link and find that you’re rapidly switching through five different pages, that’s good indication that you should leave the final destination, or just close the browser.

Always make sure that your browser is updated to the latest security settings. Additionally, be sure to have antivirus software installed on your device so that if you do end up on a compromised site or get hit with a drive-by download, your antivirus will catch that and prevent you from being harmed.

Finally, if you are a website owner, ensure that you have secured the website as best you can and require multi-factor authentication (MFA) for privileged users.

By practicing safe browsing and implementing necessary technical controls, you will minimize you and your organization’s chances of getting compromised by an SEO poisoning attack.

Topics: Cybersecurity, Cybersecurity Tips, Cyber Crime, Cybersecurity Awareness

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More