top of page

SEO ‘Poisoning’ Among Direct Fraud Threats to FIs: Fortra Report

  • Writer: Roy Urrico
    Roy Urrico
  • 5 hours ago
  • 3 min read

By Roy Urrico


 

A new report SEO Poisoning Marketplace Topping Search Results, Impersonating Top Financial Institutions from Fortra’s Intelligence and Research Experts (FIRE) tracks HaxorSEO (HxSEO), an active cybercrime marketplace that poses a direct threat to financial institutions by manipulating search rankings to drive phishing and fraud with tactics such as so-called "SEO poisoning.”

 

The FIRE team from Eden Prairie, Minn.-based Fortra, which provides advanced offensive and defensive security solutions, revealed this group of active malicious threat actors have operated since 2020 and refers to themselves as “Haxor,” a slang word for hackers, and their marketplace as HxSEO, or HaxorSEO.

 

“HxSEO, stands out for their emphasis on unethical search engine optimization (SEO) techniques, selling a service that supports phishing campaigns by improving the perceived legitimacy of malicious pages. Their optimization is impressively successful, with FIRE identifying fraudulent login pages that rank higher than the legitimate pages of global financial institutions,” wrote

Kyle Skwirsk, a threat research analyst at Fortra.
Kyle Skwirsk, a threat research analyst at Fortra.

a and author of the report.

 

Poisoning SEOs an HxSEO Marketplace Focus

 

Because SEO poisoning is the focus of the HxSEO marketplace, the FIRE report provided deeper insights about how it works and the evolving ‘black box’ nature of SEO algorithms. “SEO poisoning is a cyberattack where malicious actors manipulate search engine results to rank harmful websites highly, tricking users into clicking them. Search engines actively combat these methods and spam by employing advanced algorithms and manual review processes to identify, devalue, and penalize suspected abuse,” explained Skwirsk.

 

Initiatives such as FS-ISAC (Financial Services Information Sharing and Analysis Centers) and search engine reporting programs have made it more challenging for fraudsters to target users via malvertising, where a compelling ad directs a user to a malicious site, the FIRE report noted. “Without the ease of paying a high traffic platform to present malicious sites to potential victims, threat actors have turned to other methods for elevating their sites, like SEO poisoning.”

 

FIRE identified the HxSEO marketplace, where threat actors and cybercriminals can shop and purchase backlinks to a selection of compromised legitimate domains. Skwirsk explained these domains are typically 15-20 years old and promoted alongside a selection of ‘trust’ scores to advertise the potential effectiveness of the purchased backlink. HxSEO can also negatively impact the SEO score of legitimate pages by using bad backlinks hosted on spam-riddled, low-authority sights - harming ethical SEOs.

 

In addition to the backlinks, FIRE warned about other HxSEO techniques, such as:

 

  • Keyword stuffing: Overloading a webpage with key words or phrases to manipulate search engine rankings.

  • Hidden text: Where concealed key words or links are only visible to search engine crawlers. Examples include white text on a white background, font size set to zero, or off-screen positioning.

  • Automatically generated content: created by bots or generative artificial intelligence (AI) and intended to artificially inflate the ranking of harmful websites, provided the search engine perceives it as adding value and not ‘AI-slop.’

 

How HxSEO Operates


Source: Fortra
Source: Fortra

When users search for sensitive keywords like "financial logins" for specific financial institutions, HxSEO team's manipulation ensures the compromised sites appear first in the search results, ahead of the legitimate page they are imitating, luring unsuspecting users into illegitimate content. “FIRE observed HxSEO’s successful optimization of credential harvesting pages imitating high profile banks and financial service login pages. In some cases, fraudulent login pages ranked higher than the legitimate page,” wrote Skwirsk.

 

The HxSEO team operates on messaging apps Telegram and WhatsApp and is mainly advertises all the backlinks they have for sale via a Google sheet containing 1000-plus compromised domains, according to FIRE. A Haxor web shell controls each compromised website, which enables them to upload the malicious backlink to the reputable site, explained Skwirsk. “This expansive backlink marketplace provides malicious third parties with the means to launch phishing campaigns or deploy harmful code through backlinks.”

 

These backlinks, he added, also allow third parties to select a domain of choice and essentially gain "votes" or endorsements from these websites to theirs, signaling search engines like Google that their content is trustworthy and relevant.

 

Recommendations

 

Upon detection of fraudulent web pages linked to HxSEO, Fortra works with the targeted organization, domain service provider, and search engines to mitigate and take down the malicious page.

 

Users are advised to bookmark sensitive login pages, such as credit union and bank logins, rather than locating them via search engines. “Make sure to verify that the domain in the URL is legitimate and keep an eye out for lookalike domains that may have minor spelling differences you wouldn’t notice immediately,” stated the report.

bottom of page