Home / Industry

SEO Poisoning: A Persistent Malware Threat Targeting High-Profile Brands

It's bad enough that malware is virally spread via paid search and social networking links. But now there are more accounts of it being spread via natural search links as well. In a practice called "SEO Poisoning," fraudsters use Search Engine Optimization (SEO) techniques to mix malware-laden search results with legitimate ones. Many infected URLs are found within the top 10 search results and thus have a higher likelihood of a user clicking through.

Many of these attacks are targeting major product events and popular websites. Just last month, for example, two attacks (as reported by Websense) targeted the much anticipated Google Wave beta invitation and the Microsoft Securing Essentials (MSE) product launch. Earlier this year, the March Madness basketball tournament was also targeted. In these situations, fraudsters anticipated that people would be searching on these topics and leveraged black hat SEO techniques (such as keyword stuffing and link farms) to push their malware-linking results to the top of the search engine results page. While Google has automatic scanners for detecting and blacklisting malware sites, there remains a window of opportunity for fraudsters to push their results to the top of the results page before being detected and expunged.

Another common SEO poisoning tactic takes advantage of a common practice used among popular websites — caching search queries — to boost the site's ranking among the major search engines. While making search queries on these websites, fraudsters inject common search terms and an iframe script (snippets of HTML code for us non-techies) designed to redirect visitors to malicious sites. These search queries then go back to the search engine with the malicious code attached. So, when a user conducts a search on these common search terms relating to the popular website and clicks through on one of the infected links on the search engine results page, he/she is redirected, via the Javascript code, to a compromised website where social engineering tactics often trick the user to install malware. These types of attacks have targeted such high-trafficked sites as ABCNews.com, CNET properties, News.com, Target.com, Walmart.com and Wired.com. (As an aside, in all of these SEO poisoning attacks, only the links in the natural search results, not the website itself, are infected.)

What can brand owners do to protect their brand from these attacks? First and foremost, brand owners need to remain vigilant on how and where their brand is being used to preserve the trust in their brands, especially around major product announcements. Malicious links are now found everywhere — in organic and paid search results as well as blogs and micro-blogs — so brand owners should take a holistic approach to monitoring for potential abuse across the entire Internet. If malware is detected on Google, brand owners can report the suspected malware link via the Google Safe Browsing malware reporting page. Brand owners with search capabilities in their websites can also guard against the tactic described above by filtering out scripts in their search queries before the results are exchanged with the search engines. Finally, enterprise anti-malware solutions, such as our own, provide brand owners with an efficient response for blacklisting and shutting down these sites and retrieving stolen information.


About MarkMonitor – MarkMonitor®, the world leader in enterprise brand protection uses a SaaS delivery model to provide advanced technology and expertise that protects the revenues and reputations of the world's leading brands. Learn More

Related topics: Cybercrime, Cybersecurity, Malware


Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Related Blogs

Related News

Explore Topics

Dig Deeper

DNS Security

Sponsored by Afilias

Mobile Internet

Sponsored by Afilias Mobile & Web Services


Sponsored by Verisign

IP Addressing

Sponsored by Avenue4 LLC

Promoted Posts

Buying or Selling IPv4 Addresses?

Discover ACCELR/8, a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum