Search engine criminalisation: SEO poisoning campaign exposed
Scammers are buying up dodgy websites on underground marketplaces to manipulate search rankings and lure victims onto malicious pages.
Search engine optimisation pirates have been caught running an SEO poisoning campaign designed to push booby-trapped malicious pages to the very top of search rankings and persuade victims to click on them.
Netcraft, a London-based security firm, exposed a network of compromised websites that are manipulated to boost malicious URLs.
This shadowy scam ring is fuelled and enabled by an underground crime-as-a-service marketplace which lets bad guys buy access to thousands of compromised websites.
We have decided not to name the websites and companies at the heart of this campaign because, well, we are a small, new site and don't want to get sued by blackhat SEO gangs.
But rest assured that the identity of these SEOutlaws has been uncovered in the original research.
Darkside SEO
Criminals can either buy and take control of prefab criminal websites or insert links to phishing and illicit pages into the source code of compromised legitimate domains.
These links use specific keywords so that people are served links to attacker-controlled websites during searches.
"The injected content is subtle, often invisible to site owners or casual visitors, but highly effective at influencing Google’s PageRank system," wrote Andrew Sebborn, a Netcraft cybercrime analyst.
Threat actors use websites with a high reputational value, such as .gov, .edu, and country code top-level domains (ccTLDs), which improve the credibility of their malicious content.
READ MORE: Scattered Spider moves on from retail, sinks its fangs into insurance
These ccTLDs are highly effective SEO tools because Google prioritises them in searches from a specific country.
"Therefore, the malicious site is effectively inheriting some of that favourable ranking just by linking to it," Sebborn added. "While legitimate SEO is a cornerstone of digital marketing, the techniques used here cross into fraud, with fake pharmacies, adult content, and phishing pages all benefiting from artificially elevated visibility.
"Particularly concerning is the targeting of online casinos, with organised groups... offering services to manipulate SEO rankings for phishing and fraud."
What Is SEO Poisoning?
This is a subtle but highly effective way to rig search rankings.
"SEO poisoning is a form of search engine manipulation that promotes malicious or fraudulent websites by exploiting the ranking systems of platforms like Google," Sebborn explained.
"By compromising legitimate websites and injecting specially crafted content, attackers can redirect search traffic to harmful destinations—all while maintaining the appearance of legitimacy. Unlike traditional defacement attacks, which make the intrusion obvious, SEO poisoning operates covertly; the compromised sites often look entirely normal to the human eye."
The hidden content is typically code secretly stuffed with links to malicious domains and keyword-packed anchor text. Search engine crawlers read this content, follow the links and interpret the compromised site as having an endorsed relationship with the linked malicious domains - artificially improving the search ranking of the attacker's sites and sometimes placing them above legitimate results.
READ MORE: Google reveals how Service Control foul up caused mega-outage that brought down the internet
Bad actors can browse and purchase access to already compromised websites on illicit marketplaces. They can select keywords and URLs to be injected, with prices often starting at just $1 per listing, though domains with stronger reputations, such as those ending in .gov, may cost more.
Once a listing is selected, the marketplace automatically injects the necessary JavaScript into the compromised site. This code typically contains links to multiple external pages - some of which may appear legitimate - while others lead directly to phishing, malware or scam operations.
"These malicious sites are often designed as exact copies of legitimate domains," Sebborn warned. "This is an effective, scalable, and dangerous strategy for phishing."
When clicking on websites becomes a game of Russian roulette
One example of how this website has been used is to target the gambling sector in Turkey so that people who search for online casinos are directed to dangerous websites. Operators of the online marketplace claim to have access to more than 15,000 compromised websites for use in these campaigns, although the number they control may be significantly higher.
"This campaign highlights the growing sophistication of cybercriminals who are not just attacking networks but manipulating ecosystems," Sebborn said. "SEO poisoning blends web compromise with psychological manipulation and search engine exploitation, creating a multifaceted threat.
READ MORE: Cops seize Archetyp, arrest bosses of "longest-standing" dark web drug marketplace
"Brands face reputational risk when their domains are hijacked to boost criminal operations. Users face exposure to scams, phishing, and malware. Defenders must now consider this SEO manipulation and SERP-based attack vector as part of the broader threat landscape."
"For industries like online gambling, where trust and brand integrity are paramount, the consequences can be severe. This is applicable to other industries which may rely on search engines for their site to be discovered, such as banking, fundraising, and cryptocurrency trading. With cybercriminals now using this technical capability now, any industry could and will likely be targeted by these sophisticated criminal lures."
Do you have a story or insights to share? Get in touch and let us know.
