SEO Poisoning Attack Linked to 144,000 Phishing Packages – Security Boulevard

SEO Poisoning Attack Linked to 144,000 Phishing Packages – Security Boulevard

The Home of the Security Bloggers Network
Home » Security Bloggers Network » SEO Poisoning Attack Linked to 144,000 Phishing Packages

In a recent incident involving the NuGet, PyPI, and NPM packages, threat actors uploaded approximately 144,000 malicious packages to these open-source package repositories, containing links to phishing and scam websites. These packages contain links to phishing and scam websites. These packages were part of a BlackHat SEO / Search Engine Poisoning campaign, intended to manipulate search engine results and promote the ranking of the threat actors' scam pages by creating backlinks from trusted websites.
In this blog post, we will explore the details of this threat, analyze intent and provide guidance on how to protect your organization from similar attacks.
Search engine poisoning (also known as "malicious search results") is a technique used to inject spammy or malicious content into the search results of a search engine. One way this can be done is by creating backlinks from legitimate websites to malicious websites.
Backlinks are links from one website to another website. When a website has a lot of backlinks from other reputable websites, it can help improve its ranking in search engines. This is because search engines view backlinks as a sign of the website's popularity and relevance.
If a malicious actor creates backlinks from legitimate websites to malicious websites, it can trick search engines into thinking that the malicious website is more relevant or popular than it really is. This can cause the malicious website to rank higher in the search results and potentially trick users into visiting it.
There are many different tactics that hackers use to build SEO poisoning attacks.
Here are a few examples:
Keyword stuffing: This involves loading a website with keywords in an attempt to improve its ranking in search results. For example, a hacker may create a page filled with repetitive or irrelevant keywords in an attempt to rank higher for those terms.
Hidden text or links: This involves using text or links that are hidden from the user but visible to search engines. Hackers may use this technique to try to manipulate search engine rankings or to redirect users to malicious sites.
Cloaking: This involves showing different content to search engines and users. Hackers may use cloaking to try to trick search engines into ranking their sites higher or to redirect users to malicious sites.
Spam emails: Hackers may send spam emails that contain links to malicious sites or that encourage users to download malicious software.
Social media posts: Hackers may use social media to spread links to malicious sites or to trick users into clicking on links that lead to malicious sites. Protect your social media with Bolster.
Malvertising: This involves using a fake ad to spread malicious links or to redirect users to malicious sites. Hackers may use malvertising to try to infect users’ computers with malware or to steal sensitive information.
There have been many instances of real-life SEO poisoning attacks in the past. For example, in 2011, hackers used SEO poisoning to redirect users who searched for terms related to the Japanese earthquake and tsunami to malicious sites that contained malware. In 2013, hackers used SEO poisoning to redirect users who searched for terms related to the Boston Marathon bombings to malicious sites that contained malware. And in 2014, hackers used SEO poisoning to redirect users who searched for terms related to the Ebola virus to malicious sites that contained malware.
In this recent SEO poisoning attack, the threat actor used NuGet packages with phishing links and keywords to target brands in the description file of the malicious package. Threat actors posted over 136k malicious packages, targeting different video games, brands, gift card stores. The intent of this campaign appeared to be to rank their phishing websites higher in search results when somebody searches for gift cards or hacks for the games/brand.
For example, if a user searches for hacks/cheat methods for their favorite video games on google, or if they search "gain followers on Instagram". Because of search poisoning in this campaign, they'd be shown the threat actor-controlled websites on the top of the search results.
Here's an example of what the process may look like:
This type of campaigns primarily targets a younger audience of less tech savvy folks who may believe the promise of free followers, in-game currency, or gift cards at face value. Young folks who are looking for ways to cheat in games may be more likely to click on these links.
Campaigns like this have been around for ages and will continue to happen in the future as well. NuGet package abuse was just one of the mediums that threat actors used as part of their Black Hat SEO techniques to poison search engine results. To neutralize such campaigns in the early stages and protect your brand and customers, proactive monitoring of your brand mentions, domain registration, and dark web monitoring is key.
If you're trying to monitor & protect your brand from such campaigns, get a demo of Bolster here.
*** This is a Security Bloggers Network syndicated blog from Bolster Blog authored by Nikhil Panwar. Read the original post at:
More Webinars
Security Boulevard Logo White

Step 1 of 6

Are you worried about software supply chain attacks?

Which of these do you include as part of your software supply chain security analysis today?

Do you currently produce software bill of materials (SBOMs) for your applications?
Of those SBOMs produced, how many are published?

What are the main drivers for using SBOM? (select all that apply)

What are the key factors considered in your selection of open-source packages? (select all that apply)

How do you secure the open-source software used in your applications? (select all that apply)

document.getElementById( “ak_js_1” ).setAttribute( “value”, ( new Date() ).getTime() );

gform.initializeOnLoaded( function() {gformInitSpinner( 20, ‘’ );jQuery(‘#gform_ajax_frame_20’).on(‘load’,function(){var contents = jQuery(this).contents().find(‘*’).html();var is_postback = contents.indexOf(‘GF_AJAX_POSTBACK’) >= 0;if(!is_postback){return;}var form_content = jQuery(this).contents().find(‘#gform_wrapper_20’);var is_confirmation = jQuery(this).contents().find(‘#gform_confirmation_wrapper_20’).length > 0;var is_redirect = contents.indexOf(‘gformRedirect(){‘) >= 0;var is_form = form_content.length > 0 && ! is_redirect && ! is_confirmation;var mt = parseInt(jQuery(‘html’).css(‘margin-top’), 10) + parseInt(jQuery(‘body’).css(‘margin-top’), 10) + 100;if(is_form){jQuery(‘#gform_wrapper_20’).html(form_content.html());if(form_content.hasClass(‘gform_validation_error’)){jQuery(‘#gform_wrapper_20’).addClass(‘gform_validation_error’);} else {jQuery(‘#gform_wrapper_20’).removeClass(‘gform_validation_error’);}setTimeout( function() { /* delay the scroll by 50 milliseconds to fix a bug in chrome */ jQuery(document).scrollTop(jQuery(‘#gform_wrapper_20’).offset().top – mt); }, 50 );if(window[‘gformInitDatepicker’]) {gformInitDatepicker();}if(window[‘gformInitPriceFields’]) {gformInitPriceFields();}var current_page = jQuery(‘#gform_source_page_number_20’).val();gformInitSpinner( 20, ‘’ );jQuery(document).trigger(‘gform_page_loaded’, [20, current_page]);window[‘gf_submitting_20’] = false;}else if(!is_redirect){var confirmation_content = jQuery(this).contents().find(‘.GF_AJAX_POSTBACK’).html();if(!confirmation_content){confirmation_content = contents;}setTimeout(function(){jQuery(‘#gform_wrapper_20’).replaceWith(confirmation_content);jQuery(document).scrollTop(jQuery(‘#gf_20’).offset().top – mt);jQuery(document).trigger(‘gform_confirmation_loaded’, [20]);window[‘gf_submitting_20’] = false;wp.a11y.speak(jQuery(‘#gform_confirmation_message_20’).text());}, 50);}else{jQuery(‘#gform_20’).append(contents);if(window[‘gformRedirect’]) {gformRedirect();}}jQuery(document).trigger(‘gform_post_render’, [20, current_page]);} );} );

Step 1 of 6
document.getElementById( “ak_js_1” ).setAttribute( “value”, ( new Date() ).getTime() );


How do I find SEO services
Dominate search engine result pages, crush your competition, get more sales, and be the #1 provider in your service area. Work with Top SEO Agency in Dublin that also provides quality Digital Marketing Optimisation services. 

Our Search Sngine Optimisation Consultants will improve your site performance in all major search engines by implementing the Best SEO Solutions, Strategies and Techniques. Let us help you increase organic traffic, get more leads, more customers, and grow your revenue with a customised affordable SEO package.
Fully Managed WordPress Hosting


Get in touch

Globe Boss

Hampton Square
Dublin - Ireland
Tel: (+353)1 868 2345