SEO Poisoning Attacks on Healthcare Sector Rising, HHS WarnsSearch Scams Luring Users to Malware-Infected Sites Are Often Tricky to Detect
Search engine optimization poisoning attacks, which involve intentionally manipulating search results to lead users onto malware-laced websites, are on the rise in the healthcare sector, U.S. federal regulators warn.
SEO poisoning is a type of malicious advertising that can result in credential theft, malware infections and financial losses. This type of attack has been used "recently and frequently" against the U.S healthcare and public health sector, warned the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in an alert issued Thursday.
Threat actors behind SEO poisoning campaigns manipulate search engines such as Google so that the first advertised links actually lead to attacker-controlled sites, "generally to infect visitors with malware or to attract more people using ad fraud," according to HHS HC3. Healthcare entities are becoming a more frequent target for such attacks as the sector continues to become increasingly digitized, the alert said.
But it's not just U.S. healthcare organizations that have been targeted with such attacks. Researchers at Trend Micro reported in January that the criminal group behind Gootkit malware attacks had been leveraging SEO poisoning to attack the Australian healthcare industry during the second half of 2022 (see: Gootkit Malware Found Targeting Australian Healthcare Sector).
The healthcare industry is facing an increasing number of SEO poisoning attacks as threat actors target these organizations for their highly confidential and valuable data, said Ismael Valenzuela, vice president of threat research and intelligence at BlackBerry.
"A successful cyberattack can have serious consequences, including the loss or sale of sensitive patient data to malicious entities, financial losses and even direct physical harm to patients," he told Information Security Media Group.
Security researchers at BlackBerry said in an April threat intelligence report that they had found SEO poisoning attacks, particularly in the healthcare sector, to be on the rise between December 2022 and February 2023, and they expected that trend to continue.
Because some anti-malware solutions block cracks and keygens, some users intentionally disable their security products before downloading these files or ignore detection alerts and proceed with the download anyway, according to BlackBerry. "As a result, even widely detected threats can infect systems when a victim explicitly allows the download and execution of malware," BlackBerry writes.
SEO Poisoning Tactics
Some threat actors also use targeted types of SEO poisoning, including spear-phishing, to go after specific users, such as IT administrators and other privileged users. "The technique enables attackers to target and customize their attacks to specific audiences, making them more challenging to identify and defend against," HHS HC3 wrote.
Common SEO poisoning methods also include typosquatting, which targets users who might open their browser and input a website address that has an inadvertent typo or click on a link with a misspelled URL, HHS HC said. Attackers often register domain names that are similar to legitimate ones but contain minor spelling errors.
Threat actors use a variety of tactics to boost their search engine rankings to help snare users through SEO poisoning, HHS HC3 warned.
They include keyword stuffing, which involves the cramming of irrelevant keywords into a webpage’s text, meta tags or other portions of a fraudster's website to fool search engine algorithms into giving the website a higher ranking.
Another tactic is cloaking, which involves displaying search engine crawlers with different material than what is presented to the user when the link is clicked; manipulating search ranking by artificially increasing a website's click-through rate to boost its ranking in search engine; and using private link networks, which involves connecting a group of unrelated websites resulting in a network of backlinks to a main website.
SEO poisoning can be difficult to prevent and detect, according to the alert. Nonetheless, organizations can take measures to help better prepare for these scams, HHS HC3 said. That includes implementing typosquatting detection procedures using digital risk monitoring tools.
Indicator of compromise lists can be used to identify malicious URLs, and they can also serve as watchlists or blocklists for preemptive detection or blocking, HHS HC3 said.
HHS HC3 also recommended upgrading security software and establishing "rigorous" web filtering procedures, in addition to training staff on "safe browsing practices, phishing awareness, and effective endpoint security measures," HHS HC3 said.