Today’s world is moving at fast-breaking speed, especially when it comes to internet usage and the way we use it in our daily routines. We are all excited consumers of online content, and our numbers keep growing, activity and traffic within the spreading internet network is setting new records every day.

When we are looking for new content in a specific field we will probably look for one of the known search engines such as Google or Binge, and prefer to choose the first websites on the first page to save time. Here lies the question: how are websites ranked by search engines and can this method be manipulated? The answer is SEO (Search Engine Optimization). Even people with little to no familiarity with this digital marketing strategy can take advantage of it and support their brand in ranking higher in online search results. 

But what happens when threat actors use search engines algorithms for their own malicious purposes?

What is a Black Hat SEO?

Black Hat SEO goes against the guidelines set by search engines and manipulates them to gain higher rankings. As such, it can lead to being removed completely from search results or getting a lower position in the results. White Hat SEO on the other hand, is a more ethical way of doing SEO by creating quality content and a good user experience.

So why do threat actors use Black Hat SEO and not White Hat SEO?

One answer is phishing campaigns. Naturally, new phishing sites are detected by anti-viruses and different scanners and only last for a few days at most. Threat actors use black hat SEO to bump their site’s position in search engines so that they can extract the most out of their phishing attacks and “hunt” as many victims as they can in this small period of time. Yet worth noting that since their shelf-life is rather short, these phishing sites have less likelihood to really succeed.

Cyber criminals also use Black Hat SEO techniques to damage the reputation of  legitimate sites. It’s easier for a black hat marketer to get rid of their competitor than to build their own reputation. One way is to reduce their competitor’s customers by  convincing them that they were hacked by visiting the competitor’s legitimate site.

Free and Legit Services Offered

In the example below, we can see a threat actor who explains about websites hosts. Since the actor chose a host with no policy (regarding phishing, hacking, drugs etc.), which may suggest his intentions are less legitimate and this may be an introduction for those who’d like to deploy a phishing/scam site. In most cases, these no-policy hosting sites host multiple phishing domains that are blocked after a short period of time.

 

In this example, a threat actor is offering to exploit an SEO tool called “Vbulletin”. This tool is provided by a vendor called “dragon-byte technologies”, and looks like a legitimate tool and supplier. The threat actor mentions an option to exploit the tool to improve one’s phishing attack by employing redirection links.

Redirection links are one of the most famous methods that exist today in which cybercriminals post a link of a URL that looks legit, but after pressing it, it redirects the victim to a malicious site. Also, the actor mentioned that this tool is supported by all search engines, which gives an advantage to threat actors who use and expose their phishing sites in the wild.

An Attacker’s Point of View

So how does it look in real-life? Let’s explore it for a few minutes using the following example. The crypto blog ״Cryptoformacion[.]com״ looks like a legitimate url, but it was actually compromised by threat actors who look to improve the reputation of their malicious site by using SEO techniques such as backlinks and redirecting links.

After pressing the url, it automatically redirects the user to a phishing sites, currently – get-electrum[.]com (you can see the URL section changing in both pictures from Cryptoformacion[.]com to get-electrum[.]com):

This is the phishing domain after checked in Virus-Total: 

One indication that something is wrong with the supposed “legit” url is the huge amount of backlinks that link to it  – 177,105. A backlink is a link from one website (your site) to a page on another website (in this example, it’s the phishing page).

 

 

It shouldn’t surprise us, as some threat actors are selling backlinks for exactly these kinds of black hat SEO campaigns:

Diving deeper into the rabbit hole, we have checked the “legit” url in VirusTotal and discovered that it is marked as not malicious. But interestingly, one of the outgoing links from the “legit” domain seems suspicious and again the keyword “electrum” is being used, this time to a different phishing domain.

 
And indeed, the outgoing link is indeed referring to a url that is flagged as a phishing page.

Threat actors buy and sell web shells in the underground markets, to control the website’s server, so they could gain access to all the traffic within the site, use it as a Command-and-Control server, steal your data, and the list goes on.

Cybercriminals use different tools within the SEO field to upgrade their malicious site rank and amount of future traffic, as in this example, we saw thousands of Backlinks that probably are a part of black hat SEO. 

 

Black Hat SEO as a Service

We can also find services given by different actors on the deep and dark web, services that include SEO (for malicious sites such as phishing), optimization (redirections links, backlinks, content), and more.

In this example, we can see a threat actor offering some services including phishing pages for sale, back-end SEO (optimization of the page using source code, DNS configurations, backlinks, not content), results catchers, all made privately by the publisher of the post.

We also follow white hat groups and individuals in different underground forums, where we can find interesting information, like the example below.

The actor speaks about a large -scale phishing campaign that involves scam pages who impersonate legit genuine brands. It also mentioned the operation discovered by a singapoorian security firm “cloudSEK”, who shared their report with different media sources.

How its all connected to black hat SEO to ask, according to the security report, the phishing campaign apparently victimized the Indian audiences using Google ads and SEO by drawing them to hundreds of malicious sites. 

Conclusions

Threat actors are known to exploit legitimate techniques to their advantage, turning it from innocent best practices to malicious campaigns. Search engine optimization (SEO) is not different, and threat actors use black hat SEO to improve and optimize their phishing sites — by improving the site’s ranking and position in search engines and thus maximize incoming traffic.  

We recommend carefully checking any url that you click, even if you’ve found it after searching Google. As we’ve emphasized in this piece, many threat actors use redirection links and other techniques in order to manipulate users and lure them into phishing pages.