Cybercriminals are using popular Search Engine Optimization (SEO) methods to improve the rankings of their phishing sites, and it seems to be working rather well.
According to a new report from security service edge provider, Netskope, phishing downloads of malicious PDF (opens in new tab) files rose 450% in the last 12 months, and SEO tools are partly to “blame”.
SEO is a practice in which the contents of specific websites are optimized in such a way that search engines are better able to index, and track them. If these websites check all the right boxes during indexing and tracking, they’ll appear higher on search results pages - an endeavor seen as the “holy grail” of digital marketing.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
Phishing is not reserved for emails
Optimizing website content for search engines means doing a number of things, from ensuring the right content length, to having the proper keywords, enough inbound and outbound links, to tweaking metadata for all the multimedia content. Then, there are things like content-to-ad ratio, cumulative layout shift, and a myriad of other things.
Those that “nail” it, get rewarded by having their websites appear higher on search results pages.
Phishing is not a novel practice. It’s been around since the dawn of the internet, and its premise is simple - trick the victim into giving away sensitive information - be it passwords, or personally identifiable data, or into downloading viruses and malware.
But phishing has almost always relied exclusively on email and social media channels. Victims would receive a seemingly innocent email or private message, from someone either posing as a well-known brand, their co-worker, or otherwise a person of interest.
> What is phishing and how dangerous is it? (opens in new tab)
> Another top NFT company has been hit by a phishing attack (opens in new tab)
> T-Mobile sounds the alarm over unblockable SMS phishing attacks (opens in new tab)
That message would carry a link, or an attachment, which would compromise the victim’s endpoint (opens in new tab) in one way or another.
Being a popular practice among crooks, most businesses have trained their staff to spot when they receive a phishing attack in their inbox. The training, however, usually doesn’t cover search engines.
“People know they should be wary of clicking on links in email, text messages, and in social media from people they don’t know. But search engines? This presents a much harder challenge.” said Ray Canzanese, director of Netskope’s Threat Labs.
“How does the average user differentiate between a “benign” search engine result and a “malicious” search engine result? From an enterprise perspective, this underscores the importance of having a web filtering solution in place,” Canzanese said.
The best way to defend against SEO-optimized phishing attacks is to deploy a solution that decrypts and scans web traffic for malicious content, Canzanese concluded.
- Defend from phishing attacks, in emails or otherwise, with the best firewalls around (opens in new tab)
Via: VentureBeat (opens in new tab)