SEO Poisoning + Midterm Elections = Cybercriminals Paradise

Compromised websites focused on tomorrow’s midterm elections serve as the hunting ground for cybercriminals looking to take advantage of unsuspecting visitors.

Tomorrow’s U.S. midterm elections is of great interest to people of all political persuasions. With voters looking to research candidates, issues, and information on proposed local, county, and state amendments, websites with optimized content around relevant search terms are perfect platforms for cybercriminals to launch their malicious campaigns.

Called “SEO Poisioning”, cybercriminals have targeted over 10,000 sites, according to Zscaler’s ThreatLabZ research team, using over 15,000 keywords to identify those sites that are perfect as a potential target. With the vast majority running WordPress, it appears that attackers are leveraging a WordPress vulnerability to gain access to the sites. Attackers populate the website’s content with popular keywords in order to improve their search engine ranking, driving organic search traffic.

Compromised sites are being used to redirect visitors to webpages where scams, pornography, malware, and other undesirable content is promoted.

And the attackers are even more devious; their malicious code distinguishes between live users and crawlers (based on the user-agent HTTP header of the request), giving the crawlers appropriate political content and live users a series of redirects (to keep security crawlers from flagging the site as malicious) that eventually place them on the desired webpage.

This is just the latest example of SEO poisoning – attackers lever current trending topics, using this kind of attack relatively consistently.

Because of the tactics used, it’s impossible for organizations to rely on search engine results alone to keep users browsing to appropriate webpages. Security Awareness Training educates employees to recognize suspicious websites, redirects, and inappropriate content before clicking on malicious links and becoming a victim.