Search engine phishing scams often seem innocuous at first.
Picture this: You’re an employee at a manufacturing company. While browsing the web, you type in the phrase “transition services agreement” and click on one of the top results. Unbeknownst to you, this sets off a malicious script that collects your IP address before redirecting to a fraudulent site.
There, you see a file called “accounting for transition services agreement” with a .js (JavaScript) extension.
You click on it, and Gootloader (a malware downloader) delivers a remote access trojan (RAT) to your device. Your data is exfiltrated to a malicious command-and-control (C2) server – all without you being the wiser.
The above scenario isn’t fictitious. In 2022, threat actors leveraged this search engine phishing technique to steal sensitive info from manufacturing and governmental organizations. Meanwhile, Gootloader has morphed into shape-shifting phantom code that isn’t easily detected by legacy security tools.
Below, we reveal everything you need to know about search engine phishing and how you can avoid falling into its trap.
What Is a Search Engine?
A search engine is an online service that allows users to get information by typing in queries in a search box. For example, typing in the query, "What is a search engine?” on Google returns millions of results in the form of links, images, videos, and People Also Ask questions.
Some queries can return rich results like knowledge panels that give you more information about your query. The search engine results page can also contain both organic and paid search results.
Here’s how a search engine works:
First, a spider bot scans all pages pertaining to a website. This is called “crawling.” Once a site has been crawled, all its pages are added to the search engine index. This library of crawled or discovered URLs is what Google uses to return relevant results to you when you type in a query.
So, what determines SERP positions? It’s search engine algorithms. These algorithms consider 200+ ranking factors to decide the order of search results. In 2024, the top five most important ranking factors are high-quality content, backlinks, search intent & content relevancy, website loading speed, and mobile friendliness.
Understanding Search Engine Phishing
Definition and explanation of search engine phishing
So, what is search engine phishing?
Search engine phishing (also known as search engine poisoning or SEO poisoning) is a cunning form of cyber-attack where fake websites are created to steal your credentials. Attackers may even manipulative algorithms on search engines such as Google or Bing to rank their own malicious sites at the top of search engine results – so you’ll be more likely to click on them.
Imagine: you need ingredients to make one of these 50 famous international desserts. You can’t wait to tuck into the ultimate Southern coconut cake or a fresh new recipe like Cornes de Gazelle, a Moroccan pastry filled with orange blossom-scented marzipan.
You search for “orange blossom water” and see that the top links are from Amazon and Martha Stewart. However, this key ingredient is pricey. A 4-ounce bottle of Nielsen-Massey orange blossom water retails for $13.49 on Amazon.
You look for other alternatives and see a link offering a time-limited, substantial discount. Due to the FOMO (fear-of-missing-out) factor, you click on the link and quickly make a purchase. Within an hour, you get a call from your bank -- your credit card has been maxed out.
Or perhaps you clicked on what you thought was a legitimate ad at the top of the search page – which redirected you to the discount website. The result is the same: you’re now out thousands of dollars for a 4-ounce bottle of orange blossom water.
Welcome to the world of search engine phishing, where criminals use fake websites and social engineering tactics to steal your payment info.
How search engine phishing can compromise online security
In search engine phishing, poisoned sites can mimic the appearance of legitimate businesses.
In 2022, threat actors used SEO poisoning to lure users to malicious websites, where they were tricked into downloading free productivity apps or software development tools. The victims received the legitimate apps but didn’t know their devices also became infected with Batloader (a traditional file-based malware).
Ultimately, a vicious VBScript was embedded in a legitimate DLL (Dynamic Link Library). When the script ran with an LOLBin like mshta.exe (a Windows utility designed to execute Microsoft HTML Applications), it activated a malicious payload in the infected device.
In a nutshell, the attackers hid a piece of harmful VBScript code inside a DLL file. They then used a built-in Windows tool like mshta.exe to run the harmful code. This fileless technique allowed the malicious code to run without leaving any traces on disk, making it harder to detect with traditional security software.
Ultimately, SEO poisoning was combined with other attacks to steal credentials, infect systems with ransomware, and gain elevated privileges within target organizations.
The potential risks and consequences
The consequences of falling for a search engine phishing scam can be severe. In 2023, attackers used poisoned Google ads to steal information like saved browser passwords, cookies, Discord tokens, and cryptocurrency wallets from consumers.
And in 2024, hackers are going for “Olympics gold” by weaponizing AI to rank fraudulent sites at the top of online searches for “Paris games tickets.”
Although the official site for tickets is tickets.paris2024.org, attackers have so far created a whopping 338 fraudulent Olympics ticket sites. The potential for financial losses is frightening to contemplate.
How Does Search Engine Phishing Work?
Techniques used by attackers in search engine phishing
Attackers use several techniques to make their sites look legitimate. They may use domain spoofing or URLs that closely resemble those of trusted brands. Alternatively, they may use black-hat SEO tactics to trick you into clicking on malicious sites that rank prominently in search results.
Some will even purchase ads to ensure their malicious sites appear at the top of search results. In April 2024, attackers used typosquatting (a common SEO poisoning attack) to implement a Google malvertising campaign.
Unsuspecting users were redirected to sites masquerading as legitimate port scanning and IT management software like Advanced IP Scanner, IP scanner PRTG, and ManageEngine. Ultimately, attackers leverage the trust you place in search engines and big-name brands to steal your identity and money.
Common signs of search engine phishing attempts
The three most common signs of search engine phishing attempts are:
- Too-good-to-be-true deals: If you see in-demand items with usually high price tags sold at a bargain (90% off, for example), be on high alert. Unrealistic product descriptions that promise miracles for an extremely low price should also be taken with a grain of salt.
- Unusual URLs that are slightly misspelled: Instead of google.com, you might see goggle.com.
- Inferior website quality: Strange layouts, grammatical errors, missing contact numbers & physical addresses, and poor site design should give you pause.
Examples of search engine phishing
Our favorite holidays are also a target for seasoned scammers who use search engine phishing to part shoppers from their money.
According to the FBI, the top search engine phishing scams often take the form of:
- Search engine ads promoting unrealistic discounts for brand-name items or hard-to-find items like event tickets and gaming systems
- Pet adoption ads from sellers unable to confirm through in-person or video meetings that the pets are real
- Social media posts offering gift cards, freebies, or vouchers
- Offers from seemingly trusted brands using generic or free email providers
- Clone holiday booking websites that offer too-good-to-be-true deals
- Scam charities masquerading as reputable organizations asking for donations in gift cards, Bitcoin, or cash
The holiday rush often leads consumers to let their guard down, making them more susceptible to phishing websites and counterfeit offers.
Recognizing Search Engine Phishing
Real-life scenarios of search engine phishing attacks
Search engine phishing is often a vehicle to perpetrate other types of phishing attacks on unsuspecting users. Once a user clicks on a compromised search result, they may encounter the following:
- Clone phishing: The attacker creates an exact copy of a legitimate site to steal login credentials, bank account info, and credit card numbers
- Pharming: This is a cyber-attack involving DNS (Domain Name System) spoofing or cache poisoning to redirect users to malicious sites, even when they type in the correct URLs.
- Spear phishing: Scammers may use information gathered from social media sites or business websites to create highly targeted phishing campaigns.
- Smishing and vishing: Attackers may use information gathered from search engine phishing to perpetrate SMS-based (smishing) or voice-based (vishing) attacks on their victims.
For example, a user types in a query like “What are the best online stock trading platforms in 2024?”
They click on several sites at the top of the search results. Unbeknownst to them, one of the search results redirects them to a malicious site, where they are prompted to enter their phone number or contact info.
Next, a scammer masquerading as a supposed representative from the online broker contacts the victim.
The victim may get a call (vishing) or text (smishing), informing them that they need to “transfer money into a special account” or “safeguard their investments in a special vault” to get started.
Scammers can also redirect legitimate URLs to fake websites (pharming), as in the case of Timothy, who visited what he believed was Microsoft’s official website.
When he arrived at the site, his computer screen froze and became unusable. A Microsoft number was provided on the screen, which Timothy called.
A representative answered and claimed that Timothy had been hacked. He requested remote access to Timothy’s computer, which was provided.
Once the attacker received remote access, he showed Timothy’s bank account on the screen – and warned that a transfer of $40,000 had been initiated to a Russian bank.
To stop the transfer, Timothy was advised to “convert” his $40,000 into Bitcoin. He was told time was of the essence. Unconscionably, this attacker frightened Timothy into handing over $40,000 of his savings.
So, search engine phishing attacks can take various forms and utilize different types of phishing.
However, their intent is always the same regardless of the methods used: to steal credentials and payment info for financial gain.
Identifying red flags and suspicious search results
By now, you may be wondering, “How do I identify and avoid search engine phishing scams?”
Below, we list the top red flags to watch for:
Check the URLs of websites: Ensure the website address matches the official name of the business.
Look for HTTPS: Secure sites use HTTPS, indicated by a padlock icon in the browser address bar. Click on the padlock to learn more about the site’s security certificate; make sure the registered company name and country of origin matches what you know about the certificate issuer.
Check to see how long the site has been active: Can you find any information on the Wayback Machine or Whois?
Research the site: Do a quick search for reviews on the site – have others reported the site as a scam on Reddit forums, Yelp, Google, or the Better Business Bureau? When reading reviews, be wary of too many positive or similar-sounding reviews.
Double-check any phone numbers found during an online search: When Lydia’s Frontier Airline’s flight was canceled, she did an online search and called the number that showed up in a link.
However, the representative on the other end said she had to pay a $125 fee to get a replacement flight.
Suspicious, Lydia examined her original flight confirmation email and noticed the differences in domain name and contact details. This saved her from being scammed out of $125 (or more).
How to Respond to Search Engine Phishing
Immediate actions to take if you suspect search engine phishing
Another popular question we’re asked on this topic is, “How can I protect myself from search engine phishing attacks?”
Here are our best tips:
- Close the site immediately: Stop entering any more personal information and exit the website.
- Notify your financial institutions: If you entered any payment info, immediately contact your bank or credit card company to report suspected fraud.
- Implement a credit or security freeze: Contact all three credit bureaus to put a freeze on your credit (it’s a free service). This prevents scammers from using your credit report to open new lines of credit in your name.
- Report the site: Inform the search engine and relevant authorities like the FTC and your state’s Consumer Protection Office about the suspicious site.
Steps to report search engine phishing incidents
According to the FTC, the world’s most-impersonated brands are Microsoft, Amazon, Best Buy, PayPal, and Publisher’s Clearing House. If you think you’ve been scammed by fake versions of these sites, you may be wondering, “How can I report a phishing site that appeared in search engine results?”
Below, we list the best avenues to report your incident:
- FBI’s Internet Crime Complaint Center: You can report the cybercrime or incident on the complaint page. Be sure to read the Privacy Policy before proceeding. After clicking “I Accept,” you’ll be taken to a page to list the names of the victims and provide a description of the incident.
- Google Ads Report Form: If you believe a Google ad is a scam, use the Google Ads report form to alert the search engine.
- Google Safe Browsing: To report a phishing attack, use this form. You can also check the safety of any webpage by using Google’s browsing transparency tool.
- Better Business Bureau (BBB) Scam Tracker: Here, you can either report a scam or look up an existing scam. You can also read BBB studies or research about scams.
- Federal Trade Commission: While your individual case can’t be resolved, your complaint is shared with 2,800 law enforcement agencies and can help bring cases against scammers who engage in unscrupulous schemes.
Recovering from a search engine phishing attack
Recovering after an attack may seem difficult, but here are key steps you can take to regain some measure of peace:
- Change your passwords: Update the passwords of any accounts that may be compromised.
- Monitor accounts: Keep an eye on your bank and credit card statements for unusual activity.
- Contact the site that was spoofed: You may want to contact the business that was spoofed.
- Implement a scan of your entire network: Use anti-virus software to scan for malware and viruses.
- Conduct a forensic analysis: Review firewall, mail server, and DNS logs for suspicious activity.
- Hold employee meetings: Inform your employees of the breach and provide guidance on how to identify future search engine phishing attacks.
- Take other proactive measures: Consider implementing multi-factor authentication and identity access management to avoid future phishing attempts.
How to Protect Yourself Against Search Engine Phishing
Best practices
Search engine phishing or SEO poisoning attacks are on the rise – and SMBs are in the crosshairs. Each cyber-attack costs an average of $25,000 for a small or medium-sized business. Despite this, only 14% of SMBs have adequate incident response systems in place.
Below are some best practices you can implement straightaway to protect your business:
- Use secure browsing habits: Train your employees to recognize an SEO poisoning campaign. Often, ads that show up in the top results may be malicious replicas of legitimate websites. In addition, talk about how to recognize toxic backlinks, ad cloaking, and deceptive clickbait.
- Enable multi-factor authentication: This adds an extra layer of security to business and vendor accounts.
- Implement proper authentication and authorization policies: This ensures your employees can only access what’s needed to perform their job functions, preventing privilege creep or excessive permissions.
- Keep software updated: Ensure your browser and security software are up to date. Be sure to back up your files so your data is accessible in the event of a phishing-ransomware attack.
Using secure browsing habits to minimize the risk
The explosion of remote work has turned browsers into a popular attack vector. With 62% of the workforce using unmanaged devices and 33% of all extensions posing a high risk, secure browsing habits are an important first line of defense.
In 2024, these are the 10 most secure browsers you and your employees can use. They include Firefox, Microsoft Edge, Norton Private Browser, Chrome, Brave, and Pale Moon.
Secure password management tools
In a recent U.S. News survey of 2,000 consumers, 82% reported being concerned about their data security online.
However, not everyone is alert to the dangers of search engine phishing: 39% said they relied on security software alerts to stay informed, 33% relied on online news, and 28% depended on TV, radio, or social media.
Meanwhile, a whopping 20% admitted to ignoring the risks altogether.
According to the U.S. News survey, one factor within our control is password management, which makes it more difficult for attackers to steal sensitive credentials.
However, only 17% use a password manager that creates hard-to-break passwords.
If data security risks are keeping you up at night, our industry-leading password vaults are like airtight safes for your online valuables.
Most people don’t realize that our zero-knowledge security model means only you can decrypt your safe. No LastPass employees can access it, and your master password is never stored in the cloud. To protect your business, don’t wait to try LastPass Business for free today.
