Skip to main content

Grand Rapids Business Websites Under Direct Attack From SEO Poisoning

For the last few months, there has been a rise in “black hat” search engine optimization (SEO) being used for malicious purposes. This technique is known as SEO poisoning.

Many operators who want to obtain a high Google search ranking will often use poor-quality SEO practices and add a variety of irrelevant keywords just to advance their rankings, without offering any real benefit to internet users. In many cases, this can simply be annoying and a major inconvenience, resulting in a poor search experience for users, but at its worst, it can have a more malicious purpose.

What Is SEO Poisoning?

Envizion IT has been tracking REvil ransomware campaigns and SolarMarker backdoor misuse being carried out through SEO poisoning. The two campaigns, tracked as Gootloader and SolarMarker, are distributing ransomware backdoors utilizing SEO poisoning techniques.

SEO poisoning occurs when hackers obtain a legitimate website, fill the website with popular keywords in an attempt to increase its search engine rankings, and deceive internet users into clicking malicious links, downloading malware-infected files, and sharing personal information.

SEO poisoning, also known as search poisoning, is not a new technique. This strategy involves attackers using keyword stuffing, malicious PDF documents, hidden text, and concealing to manipulate the search rankings and redirecting the unsuspecting victims to unwanted platforms, applications, phishing sites, malware links, and adware.

As mentioned, SEO poisoning is not a new technique, and the advice we have given to website owners and individual users over the years remains the same. The advice we give is to keep antivirus software up to date, be mindful of what is being shared online, and know how to spot suspicious websites.

Black Hat SEO and Ransomware in 2021

What does all of this tell us about SEO in 2021? What we are learning about SEO in 2021 is that the keywords still work in terms of search engine rankings and informing search engines about what a particular website’s purpose is all about. However, stuffing irrelevant keywords into a website will certainly have a long-term damaging effect on your site.

One of the most important things we have learned in 2021 is that this approach is not something many website users find appealing, especially once they realize the content of the website is not what they anticipated after being redirected by the search engine. With internet users becoming more aware of cybercrime, black hat SEO is not only an indicator that the website may have little to no value, but the website is one to be wary of.

Researchers have shared that they have observed over 2,000 unique keywords that led to malicious websites. These malicious websites automatically deploy malware on the unsuspecting victims’ devices. Bad actors inject malicious websites with the popular keywords that everyday users are searching for.

Not only are these two campaigns being actively tracked, but researchers have also identified a rapid increase in the number of attacks designed to evade the security measures we have grown accustomed to. How are bad actors exploiting the bugs in web browsers and browser capabilities? The jeopardized browsers are ultimately used to spread ransomware and malware, and eventually steal credentials from their targets.

How Does an SEO Poisoning Attack Work?

Malicious actors generally hide malware in websites that will redirect the users to the fraudulent websites that are hosting malware backdoors. When an internet user clicks on the SEO poisoned link, the user will be redirected to malicious PDF documents and HTTP redirections. Ultimately, a malicious payload will be downloaded onto the endpoint. Researchers have observed three different payload sizes being downloaded, with the largest payload being nearly 123MB and the smallest payload nearly 70MB.

The compromised websites hosting the malicious PDFs were discovered to be WordPress sites. Many of the compromised websites were favorable sites that were manipulated to host the malicious content. Some well-known educational and .gov websites were also found to be hosting malicious PDF documents.

WordPress Vulnerabilities Were Exploited by Threat Actors

In the two campaigns that are being actively tracked, the malicious websites were not created by threat actors. Threat actors compromised legitimate WordPress sites with favorable Google search rankings. The WordPress sites were then compromised by exploiting a vulnerability in the Formidable Forms WordPress plugin of the 5.0.07 version. However, the flaw has been discovered and fixed in version 5.0.10 and above.

Breaking Down the Attack

  • WordPress-based sites were injected with keywords covering 2,000 unique search keywords and topics.
  • Malicious websites were then optimized for these keywords on Google.
  • Internet users were shown search results as PDFs, directing users to download the PDF.
  • The redirects prevent sites from being removed from the search results.

What Are the Threat Actors’ PDF Hosting Techniques?

  • The SEO poisoning campaign has used numerous locations to serve the malicious PDFs. Unfortunately, the United States made the top of the list.
  • The attackers largely targeted websites that were a part of the business category, and these websites would typically host PDFs as guides and reports.

The Dark Side of Web Searches

The sudden rise in hybrid and remote work has led to a significant increase in SEO attacks. Hybrid and remote work involves open-internet searches. Open-internet searches generally lead to a significant increase in the chances of a website’s SEO strategy being manipulated. Most employees spend a significant amount of time daily on web browsers, searching for information, saving files, communicating, collaborating, and using platforms and applications.

SEO poisoning and other SEO-based risks continue to pose a significant security threat to businesses and organizations across the globe. Blocking Windows executable file downloads from sources you do not recognize is always recommended.

Let Envizion IT Safeguard Your Grand Rapids Business From Cyber Attacks

Grand Rapids businesses face real, evolving, and sophisticated cyberattacks daily. Small to midsize businesses, for instance, face significant time and resource limitations that can severely hinder their responsiveness to network and data security.

Unfortunately, threat actors have become skillful at exploiting known and unknown vulnerabilities to conduct cyberattacks. This means that all businesses in Grand Rapids must remain observant of their security 24/7/365. Envizion IT has the tools and knowledge to help adapt and grow with your business every step of the way. The threats to your business are increasing daily, and some businesses are struggling to meet the demands and requirements needed to keep sensitive and confidential data safe. We offer security services that can help you protect your business and give you peace of mind.

Schedule your free consultation with the Envizion IT team today by calling us at (616) 741-1144.