Attackers are always iterating. In the early 1990s, firewalls were first built to stop attacks on public-facing servers. Attackers then learned to do port scans to break firewalls. Fast forward to the 2020s and email phishing became the most common cyber-attack vector: “Hey, we can get people to click and do the work for us!”

All of that is changing. Lately, malware-focused threat groups that we track are moving away from phishing and towards SEO poisoning.

What is SEO Poisoning?

We all use a search engine to find things on the internet. Those search results at the top of the list are typically the better or best matches for the search we made, and we click on one. You’re probably aware that many companies pay to appear at the top of those search results.

Attackers exploit this practice to covertly get their malicious websites to rise to the top of search results and mislead users into clicks. Once a click is made, there is often a download that comes with it to initiate the malicious process.

Why Are Attackers Moving Away From Phishing?

It may not be obvious, but a lot of progress has been made in the battle against phishing: employee education, awareness, big bold warnings, simulated testing, and increasing sophistication of detection tools. We need to give credit to the constant vigilance and sharing of the intelligence industry to shine a light on attackers’ ways.

We most often attribute attacker motivation to return on investment. The return on phishing isn’t as good as it used to be. The more the enemy iterates, the more the defense adapts. And slowly, the enemy is funneled into a low or unprofitable attack vector. So, they scrap it and decide to find a new one. Right now, that vector seems to be SEO poisoning.

Countering Threats with Intelligence

While this tactic is not novel, the volume of activity we are seeing recently is shifting its importance. In a two-day span, our InfoSec identified over 400 new domains related to this attack style and threat groups/malware that we track. We wrote about TA-505, a well-known attack group, in late 2020. At the time, we were tracking them in conjunction with an iteration of their “Get2” attack. They paused activity while building out a new means of attack, specifically changing from an HTML file to an embedded link for their delivery. When it showed up, we thankfully had the intelligence in place to see it right away and adapt our controls.

Today, TA-505 has changed course and is utilizing SEO poisoning. Thankfully, SEI has a repository of its malicious “fingerprints” from the past: domains and registry infrastructure it has utilized that help us track its activity. Once we make the connection, we can write signatures against TA-505’s newest malicious tactics. Attacker OpSec failures leave them open to identification.

Protection against SEO attacks, in general, begins with good threat intelligence, blocking known websites and domains associated with these attacks. Beyond that, network tools like traffic decryption/inspection, intrusion detection/protection, and signature analysis can “see” the malicious download on its way in. If that fails and an endpoint agent is installed on that particular host, there’s a chance it will also see the threat. If both of these layers fail, hopefully the security program has the C2 signatures of that attack in its control set.

The attackers are iterating to maximize their opportunity set and minimize their investment using SEO poisoning. We are iterating with them. The game will never end.