{
	"id": "c3ac93f4-ede2-4880-8df3-327b2badc83b",
	"created_at": "2026-04-06T01:32:17.435884Z",
	"updated_at": "2026-04-10T03:21:15.906244Z",
	"deleted_at": null,
	"sha1_hash": "8eb9b6bf391287af14a01a6edebcde0655ae660d",
	"title": "Ubiquitous SEO Poisoning URLs | Black Hat SEO",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2085618,
	"plain_text": "Ubiquitous SEO Poisoning URLs | Black Hat SEO\r\nBy Jim Wang\r\nPublished: 2018-10-17 · Archived: 2026-04-06 00:38:46 UTC\r\nSEO poisoning, also known as search engine poisoning, is an attack method that involves creating web pages packed with\r\ntrending keywords in an effort to trick search engines to get a higher ranking in search results. There are different ways to\r\nimplement SEO poisoning, such as keyword stuffing, the use of hidden text, and cloaking, among others. In addition to\r\nmanipulating search ranking, SEO poisoning is widely used to redirect users to unwanted applications, phishing, exploit kits\r\nand malware, porn, advertisements, and so on. \r\nThe ThreatLabZ research team has been actively tracking SEO poisoning campaigns; in this blog, we will share some recent\r\nexamples and an analysis of the techniques used. \r\n“Midterm elections” campaign\r\nAttackers often use holidays and other timely occasions that are likely to generate a lot of search interest. For this analysis,\r\nwe chose to focus on the upcoming U.S. election. In the following screenshot, there are three SEO poisoned URLs in the\r\nGoogle search result for the keyword “midterm elections.” \r\nFig. 1: SEO poisoned URLs in Google search\r\nAfter about a month of looking at this “midterm elections” SEO poisoning campaign, we found more than 10,000\r\ncompromised websites with more than 15,000 keywords, and we continue to find hundreds of newly compromised sites\r\ninvolved in this activity every day.\r\nUse of multiple redirects\r\nLet’s take a look at some specific URLs generated by the following SEO poisoning campaign:\r\nwebsitedukkani[.]com/enj0qnh/godev3a.php?snlhpyouf=midterm-elections-2018-polls\r\nThe Google cache for the above URL is shown below, and you can see that the Google crawler got a junk page loaded up\r\nwith many uses of the keyword “midterm elections.” \r\nFig. 2: Google crawler loaded with keywords\r\nhttps://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0\r\nPage 1 of 6\n\nBut as we browse this URL in Chrome, we discovered that it may be redirected to this page:\r\nFigure 3: SEO poisoning landing page example\r\nWe say “may” because the redirected website is different each time.\r\nWe also noted that it goes through a series of redirects before landing on the final page, as shown in figure 4 below. This is\r\njust one of the many measures that cybercriminals are using to deter automated crawlers from adding detection for the\r\nlanding pages.\r\nIn our example, the user goes through two redirects via the “302 Found” response code before getting to a real page, as\r\nshown in figure 3:\r\nRedirect URL #1 - 5[.]45[.]79[.]15/input/?mark=20180314-\r\nlandlordpeace.com/0fuq\u0026tpl=9\u0026engkey=how+to+login+to+zscaler\r\nRedirect URL #2 - www[.]hitcpm[.]com/watch?key=027ed88f05536b6c1a41df968c0abb52\r\nFigure 4: The web page content of the last redirect\r\nThe final landing page that the user sees will be different every time; in our case the user was served the following web\r\npage:\r\nbest2017games[.]com/bestgames/playtime/6a6d637637c06de629eb725d6c5c34e1/index.php?\r\ncountry_code=US\u0026p1=http%3A%2F%2Fadsfxs.pro%2Fclick%2F05e45367-502f-4558-8e24-\r\n9235a5169358%3Fclickid%3DVjN8MTQyNjk4NDh8MTE0NTYyNXwxNTQ2MzZ8MTUyMTA2NzI3M3wyN2RkMDE5MS0xMThjLTRhNWItYjJiY\r\nThe multiple redirect model provides a perfect platform for a MaaS (Malware-as-a-Service) infrastructure, as it shields the\r\nfinal landing page from automated security crawlers.\r\nCloaking technique\r\nThe attackers are leveraging cloaking techniques whereby the end user is served different content depending on the HTTP\r\nheaders involved in the web request. We noticed three distinct responses in some of the recent campaigns:\r\n \r\nhttps://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0\r\nPage 2 of 6\n\n1. Crawler view: The SEO URL will return a web response that is more catered towards poisoning the search engine\r\nresults for the relevant search term. This will make the URL appear higher in the search result.\r\n2. Browser or user view: The SEO URL in this case will lead the user through a series of redirects before a final landing\r\npage, dependent upon the campaign.\r\nThe attacker distinguishes between user view and crawler view by inspecting the user-agent HTTP header of the request. If\r\nthe user-agent string belongs to a well-known web browser, then user view content is served.\r\n \r\n1. Referer view: The SEO URL in this case will serve different content to the end user, depending on the URL set in the\r\nreferer HTTP header.\r\nWithout cloaking\r\nWithout the use of cloaking, the content fetched by the search engine crawler “crawler view” as well as the direct user\r\n“direct view” will be identical. However, the SEO page will have scripts to detect whether it is an actual user loading the\r\ncontent in a web browser, in which case the user will be redirected to the final landing page containing the malicious\r\ncontent.\r\nHere is an example of an SEO campaign where cloaking is not being used:\r\nURL:  tucuerposiente[.]cl/forum/070sxjj.php?bbhb=excel-vba-cells-function\r\nThe crawler view and direct view for this SEO URL returns identical content. The SEO page in this case will redirect to a\r\nfinal landing page based on the user’s action, such as mouse movement or rendering of the page in the web browser. The\r\ncrawler will not see the landing page redirect, as there is usually no user interaction or browser rendering involved.\r\nBelow is a view of what happens when a user browses an SEO-poisoned URL that is not leveraging cloaking techniques.\r\nThe user will see a webpage as well as a busy icon on the browser tab indicating additional background activity. This\r\nactivity is leading the user to the final landing page in the background as shown in this screen capture from Fiddler (a free\r\nweb request debugging tool).\r\nFigure 5: An SEO poisoned URL without cloaking leads user to landing page\r\nThe attacker is leveraging specially crafted CSS (Cascading Style Sheet) to perform a redirect from the user’s browser. In\r\nCSS, the URL property can be used to set the background. The figure below shows the typical usage of the URL property\r\n(taken from w3schools.com).\r\nFigure 6: URL property\r\nBut, if you don’t give any parameter to the URL property, like url() instead of url(“URL”),  it will load the parent page\r\nagain. During the second loading, however, the referer HTTP header is set to the parent URL itself. This is the reason there\r\nare two requests to the same URL in Fiddler. It is important to note that the malicious content will be served on the second\r\nrequest, in which the referer HTTP header is set to the expected URL.\r\nhttps://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0\r\nPage 3 of 6\n\nThe figure below shows the CSS code snippet used in the SEO page. The line “background-image: url()” will cause the\r\npage to reload.\r\nFigure 7: CSS code snippet in the SEO page\r\nThe second request will load the malicious code, as shown in the image below.\r\nFigure 8: Malicious code\r\nSEO URL generation\r\nLet’s take a look at a typical SEO URL structure seen in SEO poisoning campaigns:\r\nSEO URL:  sbtechsiteleri[.]com/docs/bmfns7.php?gneo=access-vba-form-load\r\nWe can divide this URL into several parts:\r\n1. Host:                           www.sbtechsiteleri[.]com\r\n2. URI path:                    docs\r\n3. PHP page file: bmfns7.php\r\n4. Parameter:                 gneo\r\n5. Search keywords:      access-vba-form-load\r\nThe campaign uses different parameters to generate URLs. We have found hundreds of unique parameters; jtjd and wanh are\r\ntwo examples of parameters shown in the screenshot below.\r\nFrom the search result in the screenshot, we can reasonably guess there are hundreds of millions of SEO URLs generated for\r\nthese two parameters.\r\n Figure 9: URLs generated \r\nSEO web page generation\r\nAlthough we don’t have access to the backend code used to generate the SEO webpages, we can draw some insights into the\r\ngeneration process based on our analysis of several pages involved in this activity:\r\n1. Pick up the keywords from the “search keywords”; search in search engine\r\n2. Collect the responses that contain the keywords \r\n3. Generate a final response containing specific strings from the collected responses\r\nThe Google cache of the webpage www.sbtechsiteleri[.]com/docs/bmfns7.php?gneo=access-vba-form-load: \r\nhttps://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0\r\nPage 4 of 6\n\nFigure 10: Example of Google cache \r\nThe first sentence, “I am fairly new to Access,” can be found in several URLs. The second sentence, “Programming\r\nMicrosoft Access with VBA can be a lot easier if you know the keyboard shortcuts for the most common commands and tasks\r\nand the” is from this site:\r\nFigure 11: Example of site found \r\nFollowing that sentence, you can see, “If you want to set the RecordSource of another form, you must ensure the other form\r\nis open first,” which is from this website:\r\nFigure 12: Example of sentence found at site\r\nAll three of the above examples are for the keyword “access.”\r\nConclusion\r\nSEO URLs redirect users to different targets. We saw two modes of operation in the pages that we analyzed:\r\n1. The users go through a series of redirects to reach the final landing page.\r\n2. The users are redirected to a MaaS (Malware-as-a-Service) platform which starts another redirection chain leading to\r\nfinal landing page.\r\nHere are the top web categories to which the final landing page sites belonged:\r\n1. Adult and pornographic websites\r\n2. Internet services sites; in this case, the SEO campaign's purpose is advertising\r\n3. Politics and religion, an example of which is shown below\r\n4. Exploit servers leading to adware/malware payloads\r\nOn an average, we see over 3,000 new and unique SEO poisoned URLs every day. ThreatLabZ is actively tracking this\r\nthreat and will continue to ensure coverage for Zscaler customers.\r\nhttps://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0\r\nPage 5 of 6\n\nIndicators of Compromise\r\nThe  list of the redirectors used by this campaign and some IOCs for PHP files and ZIP files can be found here. If you find\r\nthese PHP or ZIP files in your website, it is likely that your website has been compromised.\r\nSource: https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0\r\nhttps://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0"
	],
	"report_names": [
		"ubiquitous-seo-poisoning-urls-0"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439137,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8eb9b6bf391287af14a01a6edebcde0655ae660d.pdf",
		"text": "https://archive.orkl.eu/8eb9b6bf391287af14a01a6edebcde0655ae660d.txt",
		"img": "https://archive.orkl.eu/8eb9b6bf391287af14a01a6edebcde0655ae660d.jpg"
	}
}