Just like you can’t judge a book by its cover, you can’t trust a search by your top results. But how is that so? It contradicts all we believe to know about search engines, and cracks the inherent trust users put into “Googling it.” The truth is, even the most tech-savvy digital marketers don’t know the exact rhyme and reason behind Google’s search algorithms. So, what do search engine marketers know? It is widely known and confirmed that keywords and a handful of other core factors are being prioritized by crawlers in organic search rankings. We know the golden rule is relevancy, and various content and technical signals determine a relevant match to a user’s keyword search and top-rated results. But recent news has revealed you can’t take everything for face value, as even the tech giant itself is susceptible to hacking campaigns.
The latest trend in malware has been termed SEO poisoning, or “search poisoning”. This attack method relies on optimizing websites using ‘black hat’ SEO techniques to rank higher in Google search results. These ‘black hat’ optimized websites are in fact malicious, but due to a high SERP ranking deceive victims into believing these sites are legitimate and clicked by visitors looking for specific keywords.
SEO for Ransomware
According to the findings of the Menlo Security team, SEO poisoning cases are on the rise. Notorious ransomware groups, SolarMakers and REVil, are thought to be attributed to some recent attacks. Their campaigns used SEO poisoning to serve malicious payloads to their keyword-seeking targets. After optimizing sites with keywords that cover over 2,000 unique search terms, the sites appear top in a user’s search results page (SERP). These sites appear in search results as PDFs, and when visited, prompt a user to download the document.
When a user clicks the download button, they are redirected through a series of websites that ultimately drop a malicious payload. The threat actors use these redirects to prevent their sites from being detected and removed from Google search results for malicious content.
In the two most notable campaigns, Gootloader and SolarMarket, the actors didn’t create their own sites but instead hacked legitimate WordPress sites with strong Google search rankings. How? By abusing an undisclosed flaw in the ‘Formidable Forms’ WordPress plugin, which the hackers used to upload malicious PDFs. B2B websites were the most heavily targeted, as they are known to naturally host a large library of downloadable PDF resources.
So What Does This Mean?
For users, do your due diligence. Not all is as it appears online, even on trusted sites like Google. Exercise caution, keep up with your antivirus programs and monitor for suspicious links or potential phishing scams. A cybersecurity hack could result in breached sensitive data or require a ransomware payout.
For businesses, beware. Hackers have learned targeting high-value companies can yield much higher payouts (millions compared to the measly hundreds in consumer ransoms), especially if there is a high likelihood their attack will affect many users. Maintaining a healthy website entails regularly updating plug-ins, installing preventative security measures, and conducting frequent tests.
Does your website need a check-up? Or perhaps a new fitness regime to keep website health goals on track? Contact Bluetext to learn how our website development, optimization, and maintenance services could cure your security concerns.