Cyber security researchers have discovered an alarming rise in phishing attacks that are using SEO (search engine optimisation) techniques to legitimise their scams.
Netskope’s Cloud and Threat Report: Global Cloud and Malware Trends found that downloads of malicious PDF files rose 450% in the past year. It highlighted that one reason for the increase is that scammers are optimising their websites to improve traffic.
SEO is a common technique in Internet marketing. It describes the process of tailoring a website’s content to improve its ranking on search engines.
Sites such as Google determine the order that search results appear in based on several factors. The most influential are the relation between the page and user’s search result, the overall quality of the site and the amount of traffic it receives.
For most websites, the value of SEO is obvious. Few people browse beyond the first few results, so anything that doesn’t rank highly is unlikely to be seen.
You might not think this applies to phishing attacks, because scammers don’t typically rely on people stumbling across their bogus sites. They instead create fraudulent emails and social media posts enticing people to click malicious links.
However, Netskope’s report has found that search engines are unwittingly displaying scammers’ sites.
The technique referred to in Netskope’s report is known as ‘SEO poisoning’ or ‘black hat SEO’. It describes the use of website optimisation for phishing websites.
Unlike most forms of phishing, the goal isn’t simply to mimic the layout of a legitimate website. Instead, cyber criminals use relevant keywords that might attract unknowing victims.
For example, one common phishing scam is to advertise expensive items at a discount. If websites are loaded with related phrases, such as ‘jewellery sale’ and ‘where can I buy discount jewellery’, they are more likely to rank higher.
But it’s not just about what’s on the page. Most search engines use an algorithm that also accounts for the reputability of the website. One key factor in that is the use of an ‘https’ domain.
HTTPS indicates that the website uses end-to-end encryption, meaning that data cannot be intercepted between the recipient and the site.
The use of HTTPS doesn’t in and of itself mean the website is authentic (anyone can pay for a certificate), but the lack of HTTPS means means the site should be viewed with suspicion.
Search engines typically penalise websites that don’t have HTTPS, so it’s an essential tool for anyone that wants to improve their SEO ranking.
Another SEO poisoning technique is to fake website traffic. Search engines reward websites that have lots of visitors, because it indicates that the page contains useful information. Cyber criminals take advantage of this with bots that “visit” and interact with the website.
How to spot malicious search results
Netskope’s report identifies several ways that people can avoid phishing scams that appear in search engines.
Like most forms of phishing, there is only so much that technology can do to protect you. Some web browsers have tools that inspect encrypted traffic and alert users to suspicious activity.
However, this isn’t a foolproof system, and organisations should focus on ways to help employees spot malicious results. One way to do that is by encouraging people to inspect links before they click.
Ray Canzanese, director of Netskope’s Threat Labs, also provides tips on what to do if an employee clicks on a malicious PDF file via a search result. He notes that users will see a fake captcha, followed by text on other pages.
If this displays, the user should close the file, delete it from the device and report it to the organisation’s cyber security team immediately.
You can find more tips on how to avoid scams with our Phishing Staff Awareness Training Programme.
This online course uses real-world examples like the one we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.
The content is updated quarterly to include recent examples of successful attacks and the latest trends that criminals use.