April 28, 2022by Adi Bleih

How cyber attackers use black hat SEO to gain access to information

The pace of technological advancement has also created a culture of instant gratification, with internet users expecting instant response times, rapid results to our web-based queries, and information that is gathered per our requests in the blink of an eye.

Learn more: Why Darkfeed is the last threat intelligence feed you’ll ever need

When searching for information on a particular topic or field, the immediate go-to is usually top search engines like Google or Bing. Once the search results have loaded, the typical user generally clicks on the first few links, assuming that these are the most relevant sources. Herein lies the problem: how can we be confident that our search results are trusted, accurate, and appropriately ranked according to relevance? More importantly, can the results be manipulated? The answer to the latter, unfortunately, is a resounding YES.

SEO (Search Engine Optimization) has been around since the early days of the internet and is still very much in use today. SEO is increasing a website’s organic traffic and visibility by improving its ranking on search engines when people search for information, products, or services. The higher the page is ranked within search results, the more “clicks” that link is likely to get – and as a result, attract more prospective and existing customers to the business.

Anyone can manipulate SEO by utilizing certain keywords and hyperlinks in online content. With these tactics and several other methods, users can artificially climb to the top of the list and secure a higher ranking for their business in search results. While this is a common practice, employed ethically by benign users simply trying to gain better visibility for their growing business through approved optimization methods (White Hat SEO). Unfortunately, cybercriminal threat actors also manipulate search engine algorithms for malicious purposes. This abuse of the search engine results page (SERP) for malicious means is known as “Black Hat SEO,” involving the use of disapproved and exploitative techniques to corrupt the search results - usually at the expense of another, legitimate site.

Black Hat SEO involves a set of practices that directly violate the search engine’s terms of service, manipulating the algorithm to doctor website ranking performance. These tactics are highly exploitative and deceptive, and when detected, they generally result in heavy penalties and downgraded website rankings. Sometimes, the website in question may be entirely delisted from the search engine.

Black Hat SEO tactics are commonly used to boost the ranking of fraudulent phishing sites, helping these scam pages rank higher than the legitimate site they seek to impersonate. Naturally, new phishing sites are swiftly detected by anti-virus and other scanners and only last for a few days online before they are removed. However, though these sites may not stay up for long, by using Black Hat SEO tactics, threat actors can significantly bump their site’s position in search engines, baiting as many victims as they can in this short period of time to click on the malicious link – exposing their sensitive data, login credentials, and personally identifiable information, to theft. To evade detection and removal by search engine crawlers, cybercriminals employ a range of Black Hat SEO tactics to extend the shelf-life of their fake sites.One of the most popular methods is cloaking, a “bait-and-switch” displaying different content to users and search engines. Another tactic is a redirect, sending users to a different URL than the one they initially clicked on. Some cybercriminals have even moved to take advantage of search engines’ scrupulous anti-hacking measures, simulating a “this site may be compromised” alert when users click to visit a legitimate site, with a redirect link leading to the actual phishing page. If you can’t beat ‘em, join ‘em.

Threat actors are known to exploit legitimate techniques to their advantage, turning innocent best practices into malicious campaigns. SEO is no different, with cybercriminals abusing legitimate optimization techniques to improve the believability of their phishing sites — boosting the site’s ranking in search engines to maximize incoming traffic.

Learn more: Threat intelligence technology that's continuous, fast, iterative, and smart

Black Hat SEO poses a significant threat, manipulating the user experience as they innocently navigate their everyday internet activities. By abusing the most reputable trusted sources, threat actors are able to dupe their victims into opening malicious links, thereby compromising their devices and accessing sensitive information, from their private communications to their financial account data. From this beachhead, cybercriminals may be able to gain access to other logged-in accounts, infiltrate corporate networks, and cause wide-reaching disruption and damage.

The primary application of Black Hat SEO techniques is to evade anti-phishing protective mechanisms. By improving the page rank of the malicious site, attackers hope for it to slip undetected past even the best defenses. Thus, the best practices to avoid falling victim to Black Hat SEO methods are:

Security teams must stay abreast of the trending tactics, tools and procedures on the cybercriminal underground, and are encouraged to monitor deep and dark web forums and markets for SEO and phishing related discourse, to facilitate preemptive security protocols.

Educate employees to be vigilant before clicking on a suspicious link, even if the link has appeared on trusted search engines such as Bing, Google or Yahoo. 

Follow anti-phishing best practices – 

Even a top-tier anti-phishing system might mistakenly approve of a malicious site, and therefore on the individual level, users must be educated on phishing schemes--what they are, how to discern a potential phishing email/site, and what steps one must take in the event of a phishing attack. 

On the organizational level, security teams must continuously detect and block malicious sites and domains, monitor suspicious communications sent from unknown sites to the internal network, and ensure that  employees are well aware of social engineering tactics and attacks.

Ultimately, companies need to instill cybersecurity best practices across the organization and convey these guidelines to employees, partners, and customers alike, ensuring all are aware of potential risks, even when using the most trusted search engines.

Cybersixgill automatically aggregates data leaks and alerts customers in real time.

Learn More

You may also like


June 26, 2023

Preemptively Prevent Initial Access Compromise with Cybersixgill's Darkfeed

Read more

January 23, 2023

Threat actor auctions access to four e-commerce sites

Read more

August 10, 2022

Initial access broker claims to sell access to “central bank” and its SWIFT account for $500,000

Read more