Since the beginning of computers, social engineering has been the number one way that computers and networks have been compromised. Social engineering is involved in 70% to 90% of all successful data breaches.
Nothing else is even close (unpatched software and firmware are involved in 33% of successful attacks, everything else is 1% or less).
Most of that social engineering comes from email phishing, but there are many other types of social engineering using any medium that allows two people to communicate, including in-person, phone calls, SMS messages, instant messaging, social media, websites and more. When you are trying to decrease human risk by making them aware of social engineering, you have to educate them about more than email phishing.
There are many phishing avenues that remain under-reported by organizations. This post is about one of those under-reported phishing techniques.
For decades, malicious hackers have used our search engines against us. Search engines are really quite remarkable. They search billions and billions of web pages and track people to see where they go when typing in particular searches. If you have been around as long as I have, since the days of “Archie” and “Veronica” servers, you understand the advantage that today’s search engines offer. They complete our searches, correct our typos and try to guess what we will type next.
I am anticipating the day when our search engines will just have the answer waiting for us before we type anything. The accompanying ads seem to already be listening in as we speak to friends.
Search Engine Optimization
Today, any website that hopes to be popular has to design itself with search engines in mind. Not only do they have to have the right URL, name and content, they must contain dozens to thousands of “seeded” words and clues that our search engines “see” to help encourage higher placement in the search engine’s results.
As a crude example, a website trying to sell kittens not only has to have lots of pictures of kittens on its website, but also have the word "kitten" and all different types of kittens (say "calico," "Persian," "Siamese" and "American shorthair") sprinkled all over the website. Most of the time, the user does not visibly see all these seeded words, but search engines do when “crawling” the sites. The more keywords a website has toward its goal, the better. The more often a search engine sees a user clicking on a particular website for a particular subject (e.g., kittens), the higher the site will be ranked in the search results.
All website designers understand this and try to create a website that is highly ranked by search engines, which has created a specialty skill known as search engine optimization (or SEO). It is not enough to create a great website, it has to be designed with SEO. No one wants to spend hours to months of time creating a great website that no one comes to.
Malicious SEO
Well, of course, malicious hackers do not want to be left out. Hundreds of thousands of malicious websites are designed with SEO in mind. They want to make it so that when you search on something fairly common, say a Microsoft Windows error message or a car repair manual, you will end up at their malicious website and be tricked into clicking on their links and downloading their fake content. It is officially known as SEO poisoning.
And they are quite good at it. Millions of unsuspecting victims type in one or more keywords into their favorite search engines and unknowingly get delivered malicious websites in the top search results. Most people seeing the top-ranked results have a clue that Google, Bing, or whatever search engine they are using is accidentally delivering malicious websites for them to click on.
Sometimes bad actors buy ads for placement on search engines (which allow them). This is officially known as malvertising. Either way, users are presented with what they think is a legitimate website that is going to solve their problem, but instead it is a malicious site that is getting ready to become a source of their biggest problems for weeks to come.
Many millions of people are infected with malware that arrived though SEO poisoning. Here is an example of common malware that is delivered through SEO poisoning: Gootloader.
Red Canary’s description of Gootloader includes this:
“…they [Gootloader detections] almost always happened after victims accessed compromised websites that claimed to offer information on contracts or other legal or financial documents. Victims were likely directed to these sites after initiating queries in common search engines with keywords such as “agreement,” “contract,” and the names of various financial institutions.”
Many other popular malware programs, each which has infected many millions of devices, spreads using SEO poisoning. What search engine words bring back the fake websites depends on the malware involved and the time. Malicious websites can be unknowingly returned when searching for any popular term, including AI, software, development and error fix. Here is a good article on different malware programs and their SEO approaches.
This is to say that while email phishing is still the most likely way someone will be compromised, there are many other popular (although less popular) attack methods. One of the top methods among these includes SEO poisoning.
You must educate yourself, your co-workers, and your family about SEO poisoning attacks. Let them know that what is returned in search engines is not always trustworthy. In fact, it is often the opposite of trustworthy. The search engines are always trying to fight SEO poisoning, but it is often a losing battle. As in many things, buyer…or searcher... beware.
Want to stop nearly all malware attacks? Educate yourself and coworkers about all types of social engineering attacks. Email phishing is not your only worry.