CyberSecurity Malaysia (MyCERT) Advisory - SEO Poisoning Attack

1.0 Introduction
CyberSecurity Malaysia, through the Cyber999 Incident Response Centre, has received incidents regarding cyber campaigns related to SEO poisoning and web shells. SEO poisoning is a tactic which cybercriminals employ to manipulate search engine rankings, making malicious websites appear at the top of search results. These deceptive sites are designed to lure unsuspecting users into clicking on them, often leading to malware infections, credential harvesting, financial fraud, the spread of misinformation, or damaging reputations. Threat actors achieve this by exploiting search engine algorithms and inserting harmful content that masquerades as legitimate information or popular searches.

Another common attack vector is web shells—malicious scripts uploaded to compromised web servers. Web shells grant attackers ongoing access to the server, allowing them to execute arbitrary commands, manipulate files, or even launch additional attacks. These threats can severely undermine the security and availability of websites and online services. 

2.0 Impact
SEO poisoning and web shell attacks can lead to severe consequences, such as data breaches, security vulnerabilities, malware propagation, theft of sensitive information, lower search engine rankings, damaging backlinks, reputational harm, and potential legal ramifications.

3.0 Affected system/product/version
Web servers operating on platforms like Windows, Linux, and XAMPP, along with Content Management Systems (CMS) such as Laravel, WordPress, Joomla, and Cold Fusion, are susceptible to SEO poisoning and web shell attacks. These vulnerabilities can result in significant security breaches and data compromises, making it critical to secure these systems effectively.

4.0 Recommendations
CyberSecurity Malaysia encourages users and administrators to review and apply the necessary security best practices below:

To protect against SEO poisoning, it’s essential to implement robust security practices. Here are some key best practices:

• Regular Website and Plugin Updates: Ensure your website’s content management systems (CMS), plugins, and themes are regularly updated to the latest versions. Cybercriminals often exploit outdated software with known vulnerabilities to launch SEO poisoning attacks.
• Secure Your Website with HTTPS: Implement SSL/TLS certificates to secure your website with HTTPS, providing encryption for data exchanged between your site and users. Search engines favour HTTPS sites, improving your rankings and trustworthiness.
• Use Strong Authentication and Access Controls: Implement multi-factor authentication (MFA) for all admin accounts and restrict access to sensitive areas of your website. Enforce strong password policies to reduce the risk of unauthorized access.
• Monitor for Suspicious Activity: Set up logging and monitoring to detect unusual activity on your website, such as unexpected changes in content or an influx of spammy backlinks. Early detection can prevent SEO poisoning before it spreads.
• Implement Web Application Firewalls (WAF): Deploy a WAF to filter and block malicious traffic from reaching your web servers. This helps prevent the injection of malicious SEO content or web shells.
• Regular Backups: Perform regular backups of your website and database. In the event of a compromise, you can restore your site to a clean state without significant data loss.
• Validate User Input: Ensure your website correctly validates all user input, preventing attackers from injecting malicious scripts that could lead to SEO manipulation or code execution.
• Scan for Malware and Vulnerabilities: Use automated tools to regularly scan your website for malware, vulnerabilities, and harmful content that could be exploited for SEO poisoning.
• Monitor Backlinks and Search Engine Listings: Regularly review your website's backlinks and search engine listings to detect any signs of black hat SEO techniques, such as links to spammy or malicious sites.
• Engage in Ethical SEO Practices: Follow white-hat SEO practices and avoid shortcuts like buying links or engaging in keyword stuffing. Ethical SEO builds long-term resilience against manipulative tactics used in SEO poisoning.
• Limit File Uploads: Restrict or thoroughly scan any file uploads to prevent attackers from uploading web shells or malicious files that can be used for SEO poisoning.
• Educate Your Team: Train your web admins and employees to recognize signs of an SEO poisoning attack and to follow security protocols that mitigate the risks of such attacks.

For further enquiries, please contact the Cyber999 Incident Response Centre through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 08:30 -17:3the 0 MYT 
Web: https://www.mycert.org.my

7.0 References

• https://www.crowdstrike.com/cybersecurity-101/attack-types/seo-poisoning/
• https://www.hhs.gov/sites/default/files/june-2023-seo-poisoning-analyst-note-tlpclear.pdf
• https://www.memcyco.com/home/what-is-seo-poisoning/
• https://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results/
• https://www.cyfirma.com/research/beyond-search-results-deconstructing-seo-poisoning-technique-safeguarding-measures/
• https://www.vectra.ai/topics/seo-poisoning
• https://www.reliaquest.com/blog/seo-poisoning/
• https://www.bleepingcomputer.com/news/security/hackers-exploit-14-year-old-cms-editor-on-govt-edu-sites-for-seo-poisoning/