Cybercriminals are using popular Search Engine Optimization (SEO) methods to improve the rankings of their phishing sites, and it seems to be working rather well.
SEO is a practice in which the contents of specific websites are optimized in such a way that search engines are better able to index, and track them. If these websites check all the right boxes during indexing and tracking, they’ll appear higher on search results pages – an endeavor seen as the “holy grail” of digital marketing.
Phishing is not reserved for emails
Optimizing website content for search engines means doing a number of things, from ensuring the right content length, to having the proper keywords, enough inbound and outbound links, to tweaking metadata for all the multimedia content. Then, there are things like content-to-ad ratio, cumulative layout shift, and a myriad of other things.
Those that “nail” it, get rewarded by having their websites appear higher on search results pages.
Phishing is not a novel practice. It’s been around since the dawn of the internet, and its premise is simple – trick the victim into giving away sensitive information – be it passwords, or personally identifiable data, or into downloading viruses and malware.
But phishing has almost always relied exclusively on email and social media channels. Victims would receive a seemingly innocent email or private message, from someone either posing as a well-known brand, their co-worker, or otherwise a person of interest.
That message would carry a link, or an attachment, which would compromise the victim’s endpoint in one way or another.
Being a popular practice among crooks, most businesses have trained their staff to spot when they receive a phishing attack in their inbox. The training, however, usually doesn’t cover search engines.
“People know they should be wary of clicking on links in email, text messages, and in social media from people they don’t know. But search engines? This presents a much harder challenge.” said Ray Canzanese, director of Netskope’s Threat Labs.
“How does the average user differentiate between a “benign” search engine result and a “malicious” search engine result? From an enterprise perspective, this underscores the importance of having a web filtering solution in place,” Canzanese said.
The best way to defend against SEO-optimized phishing attacks is to deploy a solution that decrypts and scans web traffic for malicious content, Canzanese concluded.