{"id":3577,"date":"2025-06-17T12:55:21","date_gmt":"2025-06-17T12:55:21","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3577"},"modified":"2025-06-17T12:55:21","modified_gmt":"2025-06-17T12:55:21","slug":"phishing-goes-prime-time-hackers-use-trusted-sites-to-hijack-search-rankings","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3577","title":{"rendered":"Phishing goes prime time: Hackers use trusted sites to hijack search rankings"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Cybercriminals are exploiting a black-market search engine optimization (SEO) platform called Hacklink to hijack search engine results and promote phishing and other unscrupulous sites.<\/p>\n

According to a Netcraft research, the clandestine marketplace allows scammers to purchase access to high-reputation websites and stealthily plant links that boost the visibility of attacker-controlled pages in search results, especially for keywords linked to gambling and other illicit niches.<\/p>\n

\u201cHacklink is a sort of hybrid platform \u2014 it\u2019s part black market, part control panel,\u201d said Andrew Sebborn, cybercrime analyst at Netcraft. \u201cOn one hand, it sells access to real, legitimate websites that have been compromised. On the other hand, it gives buyers a way to manage and modify those sites through a built-in panel.\u201d<\/p>\n

Victim sites often remain unaware, as the maliciously injected content is invisible to users but detectable by search engine algorithms\u2014a loophole cybercriminals are actively exploiting.<\/p>\n

Injecting phishing links into reputable sites<\/h2>\n

According to Netcraft, the manipulation works by embedding keyword-optimized links into the JavaScript code of .gov,.edu, and country-specific domains, which Google\u2019s page-ranking algorithm treats as trustworthy. This tricks the system into elevating scam sites above authentic ones in search listings.<\/p>\n

Once access is purchased, attackers can insert their own content, such as phishing redirects or SEO-optimized links to fraudulent sites, which can point to reputable domains, like government or business sites, to boost credibility in search results, Sebborn added.<\/p>\n

\u201cThis research shows cybercriminals are getting smarter by hijacking trusted sites to push bad links right to the top of search results, tricking users into clicking,\u201d said J Stephen Kowski, Field CTO at SlashNext Email Security. \u201cOrganizations need to watch for weird changes in their search rankings and check their backlinks for anything fishy that could point to a bigger problem.\u201d<\/p>\n

Sebborn clarified that the trick isn\u2019t necessarily about getting people to click those injected links directly, but about boosting the visibility of scam sites. Even though people might not be clicking on the links on the compromised sites themselves, they\u2019re more likely to see and visit the phishing pages because those pages are now appearing at the top of search results.<\/p>\n

Netcraft has adjusted its detection system to flag a number of sites that have been compromised via Hacklink. Available to Netcraft partners and customers, the sites will be visible in Netcraft\u2019s malicious site feeds under the \u201cdefaced\u201d category.<\/p>\n

<\/a>An organized operation currently limited to Turkey<\/h2>\n

Hacklink is currently letting cybercriminals browse and buy access to thousands of hacked websites, with listings costing as little as $1 per unit, and .gov or high-authority domains fetching even more.<\/p>\n

The operation appears to be highly organized, with groups like \u201cNeon SEO Academy\u201d and \u201cSEOLink\u201d offering illicit SEO services for phishing and online casino fraud. With search engine providers still in the dark about it, the operation has taken root in Turkey, already boosting illicit businesses there.<\/p>\n

\u201cSo far, most of the activity seems to be centered around the Turkish market, primarily in online gambling and escort services,\u201d Sebborn added. \u201cAs for the search engines, there\u2019s no clear indication yet that they\u2019ve been notified about these campaigns or how they\u2019ve responded. At this point, there doesn\u2019t seem to be a public effort or statement from them addressing this type of ranking abuse.\u201d<\/p>\n

Chris Gray, Field CTO at Deepwatch, believes SEO poisoning<\/a> operations, such as Hacklink, will bolster Phishing and SMShing campaigns all over. \u201cEstimates say that there will be over a trillion phishing emails sent this year, and these attacks are expected to be involved in ~36% of all data breaches,\u201d Gray added. \u201cSEO poisoning doesn\u2019t necessarily mean that these attacks will be more successful, but it does mean that even legitimate communications are more likely to contain malicious links.\u201d<\/p>\n

<\/a>A stealthy, hard-to-detect operation<\/h2>\n

Sebborn pointed out that the operation is highly evasive and employs a stealthy form of \u2018cloaking\u2019 where phishing content is displayed only under specific conditions\u2014such as visits from certain IP addresses arriving via Google search. In cases Netcraft observed, the same URLs would appear harmless when accessed directly or through a proxy, making the malicious behavior difficult to detect using standard security tools or manual inspection.<\/p>\n

\u201cThis kind of abuse is hard to catch if you\u2019re not looking for it,\u201d Sebborn added. \u201cSite owners should definitely make a habit of checking their websites for strange or unauthorized links, especially if they\u2019re running older software or aren\u2019t regularly updating their systems.\u201d Gray believes strengthening the usual anti-phishing efforts might still help. \u201cHonestly, you\u2019ve just got to take a page from the Phishing Handbook and double down on it,\u201d he said. \u201cThey have to be cautious about URLs before clicking on them. Awareness is key\u2013they need to be aware of current phishing campaigns and use strong authentication. Employee phishing awareness training is still very critical.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Cybercriminals are exploiting a black-market search engine optimization (SEO) platform called Hacklink to hijack search engine results and promote phishing and other unscrupulous sites. According to a Netcraft research, the clandestine marketplace allows scammers to purchase access to high-reputation websites and stealthily plant links that boost the visibility of attacker-controlled pages in search results, especially […]<\/p>\n","protected":false},"author":0,"featured_media":3578,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3577","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3577"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3577"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3577\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3578"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3577"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3577"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3577"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}