SEO Poisoning Brings Users to Attackers’ Doors

Author Avatar


Posted on November 28, 2023

Want to interview Leo?


The most common way to get malware onto user devices is via phishing attacks. In these attacks, an email that appears to come from a reputable company fools users into either opening an infected attachment or clicking on a link to an infected website.

But now, cybersecurity teams are seeing an increase in malware delivered via a different route: poisoned SEO searches.

With SEO poisoning, the attacker doesn’t need to bother crafting convincing messages that urge quick action or replicating company graphics or sending large numbers of emails to potential victims. Instead, for a new GootLoader malware variant, attackers plant their poison and wait for victims to bite.

What is an SEO Poisoned Search?

Every business that has a web presence – which is to say, almost every sizeable business today – wants to direct prospective customers to visit their website. Search engine optimization (SEO) is a set of techniques designed to help companies increase the likelihood of their website appearing close to the top of the results page when a user searches for relevant terms. SEO is a big business, since a high ranking can vastly increase the number of potential customers who visit a given site, rather than the many similar sites that appear further down on the results page – or even worse, on the 3rd, 4th or 5th page of results.

Long ago, threat actors realized that if they can get their malware-infected websites to rank highly for particular search terms, victims will come to them.

Of course, cybercriminals don’t generally achieve high SEO ranking by following legitimate techniques, such as having up-to-date, relevant content that readers find useful. They resort to “black hat” SEO techniques, techniques that are designed to fool Google and other search engines into finding the site more relevant than it really is. Black hat tactics violate search engine guidelines, and if – when — search engine operators discern that a site has been using black hat techniques it will be penalized.

Black hat SEO includes techniques such as:

  • Automated content. Search engines reward fresh content, so some scammers just have AI bots create new content with relevant keywords, regardless of whether it is any good.
  • Article spinning. Instead of creating new useful content of their own, they will take someone else’s article and change enough words to avoid being penalized for plagiarism.
  • Keyword stuffing. Throwing in any and all possible relevant keywords in hope of ranking well.
  • Link manipulation. There are many disreputable schemes for getting links to a site, such as link farms or paying for links, which can make it appear other sites find the content useful and the site to be reputable.
  • Users are shown content that is different than what is shown to the search engine, in order to make a site rank higher for search terms that have nothing to do with the actual content.

GootLoader and Poisoned SEO

Researchers from IBM X-Force recently discovered a new variant of the GootLoader malware, dubbed “GootBot” which facilitates lateral movement on a victim’s servers to enable malware delivery during late stages of an attack chain. GootBot makes it difficult to detect and block the next-stage malware downloads that GootLoader delivers.

GootLoader has been around since at least 2020. The US government Cybersecurity & Infrastructure Security Agency (CISA) listed it as one of the top malware strains of 2021. Initially, GootLoader served as the first stage of a system compromise but with GootBot, it has evolved.

In this newest approach, the GootLoader group uses poisoned SEO to promote results for sample documents that business users frequently seek, such as contracts, legal forms, and other business documents. When they click on the poisoned search link, users are directed to a compromised site that contains GootBot-infected files. Along with the document files – which they believe are clean business forms – users download an initial malicious payload, an obfuscated JavaScript file that spreads GootBot implants throughout the corporate environment. Each GootBot implant contains a unique C2 server, with each run from a hacked WordPress site.

Several law firms have been hit with REvil ransomware attacks that started out with poisoned SEO. In many cases, compromised sites delivering GootBot-infected business forms were the source, downloaded from compromised sites with black hat-boosted SEO rankings.

Protecting Against GootLoader and Other Poisoned SEO Attacks

Users often fail to detect attacks via poisoned SEO, since few people are even aware of the risk. By now, most people know that phishing is a danger, although plenty still succumb. But with poisoned SEO, there’s no unsolicited, high-pressure email. SEO poisoning victims simply click on a search result, something that most of us do tens of times each day, without a second thought. Anti-phishing training won’t help.

The best way to protect against this type of attack is with Zero Trust-based Remote Browser Isolation (RBI) that includes Content Disarm and Reconstruction (CDR).

RBI isolates users from websites and any malware they may contain. Website content is rendered by virtual browsers that are isolated in the cloud, “airgapping” browsers on the user device from active web content. Any malware launched by a user click runs harmlessly in the isolated container, since only clean rendering data is streamed to the user device. In the poisoned SEO case described above, when a user attempts to download a document file, Ericom Web Isolation applies CDR in the cloud to sanitize the file and remove any risky elements – such as the GootLoader malware – before the file is downloaded to the user device.

The same “airgap” technology can be used in reverse to protect websites and applications and prevent them from becoming hijacked as hosts for third party malware. Web Application Isolation (WAI) isolates your apps from potentially malicious content transfers from users and protects app surfaces from threat actors seeking vulnerabilities to exploit. It also applies granular controls to protect data and sensitive content from being edited, downloaded and/or exposed in any way.


Poisoned SEO is a particularly insidious delivery mechanism for malware because users are lulled into a false sense of security by the fact that the link appears high on the page of a legitimate search engine, as well as the fact that they choose to click.

A Zero Trust-based web access solution like RBI is the sole way to effectively protect against infected websites and weaponized downloads. Contact us to learn how to protect your digital assets with the state of the art in isolation-based cybersecurity.


Share this on:

Author Avatar

About Leo Versola

For over 25 years, Leo has executed on strategic business vision and technical leadership with a wide range of start-ups and established cybersecurity companies in various senior leadership roles. Leo’s expertise in enterprise, cloud and SaaS security enabled him to build and lead high-performance technical teams driving product development, technical innovation, and sales for a number of companies including VMware, Lastline, Zscaler, Barracuda Networks, Forcepoint, RedSeal Networks, Fortinet, Juniper, and NetScreen.

Recent Posts

Air Gapping Your Way to Cyber Safety

Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.

Motion Picture Association Updates Cybersecurity Best Practices

The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.

FTC Issues Cybersecurity Warning for QR Codes

QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.