Phishing site operators are now making use of a special class of illegal search engine optimization tactics to get their pages displayed above legitimate websites in search results.
Researchers with security company Cybersixgill said these “black hat SEO” practices have become so popular that those who practice the skill are able to sell their services on dark web hacking forums for anywhere from $70 to $500 per month to phishing site operators.
Unlike normal SEO techniques, which operate within the guidelines set by search engines, the black hat SEO practitioners break rules set by Google and Microsoft to game the system and get phishing pages listed higher.
Cybersixgill dark web analyst Adi Bleih told SearchSecurity that some of the dirty tricks phishing attack perpetrators use include stuffing keywords, redirecting links from other sites and making use of paid links.
“The difference is that black hat SEO are tactics that are used to rank a website that violates search engine guidelines,” Bleih said. “Legit SEO focuses on creating the best result on the web, not just making it seem as though it is.”
As a result, the phishing sites become far more effective at luring users to their pages, and harvesting credentials and login information. While the sites do run the risk of being caught and delisted by the search engines for breaking SEO rules, the added traffic is worth it for the phishing site operators if correctly balanced.
“In this case, it’s the threat actor’s actions who decides the domain’s lifetime,” Bleih explained. “If he uses black hat SEO techniques more often, he will be ‘punished’ by the search engines and may get blocked or removed from the search engine data.”
While the increased effectiveness of phishing attacks due to SEO is a threat on its own, the findings also bring up a larger issue for administrators and defenders. The underground cybercrime markets have now evolved to the point where specialist services are able to thrive as a support ecosystem for the groups running large-scale cybercrime and fraud operations.
SEO poisoning has been used by cybercriminals in the past, most recently in a campaign to spread SolarMarker, an information stealer and backdoor. But Cybersixgill’s report indicated that the practice is now widely available to a variety of threat actors and groups.
“That is what happens in the phishing and scamming world, where you can find actors who build phishing site packages — back-end and front-end development, admin panels, crypted letters, etc. — and actors who specialize in marketing and SEO,” Bleih said.
“This should worry us — the users who enter different sites by the search engine results.”