Security awareness

Malicious SEO campaigns: Mitigating risk with zero-trust approach

February 8, 2021 by Susan Morrow


The culture of the “corporate website” has become synonymous with 21st-century business. To compete and be seen in a global space, organizations need a web presence. This has been particularly important during COVID-19, where digital means of attracting customers and clients have replaced face-to-face. 

But it’s a jungle out there. To be seen online, a business has to utilize several strategies — perhaps the most important of which is to achieve a decent search engine ranking.

This need has given rise to the discipline of search engine optimization (SEO). This tactic of making a website’s presence known to search engines and achieving a good page ranking (especially on Google), encompasses a variety of different techniques. But, as with much of our digital life, the cybercriminal community has taken SEO and now uses it for their own ends. Black-hat SEO is now a scourge of the internet.

What is black-hat SEO?

Black-hat SEO (sometimes called negative SEO) is the application of malicious techniques to increase the ranking of a website or product on a search engine (usually targeting Google). These techniques go way outside the T&Cs of the search engine and enter the murky world of website hacking. Any legitimate website can become a victim of a black-hat SEO hacker. 

The SEO hackers use a wide range of techniques to gain exposure to their website/products by hijacking legitimate websites, using them as a parasitic host. This level of negative SEO goes beyond illegitimate tactics such as keyword stuffing and cloaking. Instead, hacking tactics include injection of HTML code in theme files and devious redirection to other sites. 

It’s bad enough that the affected website becomes an unwilling host to promote illegal products, but the website can also be markedly affected. Impacted websites can end up with very poor performance and even be banned by Google.

Malicious black-hat SEO attack vectors include SEO spam injection, whereby fraudsters hack into a website using security vulnerabilities in a plugin, or via credential stuffing. Once access is gained, the fraudsters will inject their own content, stuffing keywords, adding in devious redirects, across pages and posts throughout a site. The access needed to perform this is achieved using a variety of measures, including credential stuffing, brute-force attacks and via vulnerabilities in plugins and core CMS (content management software). 

A recent example, demonstrating the widespread impact of plugin vulnerabilities, was a WordPress FileManager plugin flaw that affected over 700,000 websites. The vulnerability allowed the execution of commands and the upload of malicious files to an affected website. A patch for the vulnerability has since been released.

Access control to hosted websites and backend databases is a key issue in SEO black-hat campaigns. Techniques such as credential stuffing are popular and successful. In the 12 months leading up to December 2019, 88 billion credential-stuffing attacks were identified. 

Credential stuffing relies on login credentials stolen in previous data breaches. A bot then uses the stolen passwords and email addresses to attempt login across thousands of website administrator login pages. Access control to CMS login and database administration login is clearly a key issue in black-hat SEO.

Zero-trust measures to prevent black-hat SEO

The prevention of negative SEO is as important as any other cybersecurity initiative. The corporate website is a display to the world of the value of a company. Its presence must be preserved. There are, however, ways to counter the threat of black-hat SEO, including ensuring that plugins, themes and core software are patched, as well as applying website vulnerability scanning tools. 

However, one of the most effective and fundamental methods of managing the threat of negative SEO is through an understanding of the threat and applying robust control of access to web resources. This is where the use of zero trust comes in.

The use of a zero-trust approach is a powerful way to manage one of the core threats to website integrity — access to the resources and backend databases. Zero-trust security is a concept, a set of principles and an architecture.

The concept: At the heart of zero trust is the following mantra: “Never trust, always verify.”

Set of principles: Zero trust is about verifying access based on trust. All entities across an extended network must have trust applied as a basis for this access control. Data is the main focus of the zero-trust model and the access of these data is applied to — people, devices, networks and workloads. Within this are the fundamental principles: 

  • Protect data
  • Always monitor
  • Never trust, always verify

Architecture: Trust comes in the form of continuous verification at the point of access. Analyst firm Forrester was the original architect of a zero-trust security model. They suggest using “zones” or “microperimeters” to manage access across the wider ecosystem. 

In 2020, NIST published a draft framework (Special Publication 800-207) on zero-trust architecture (ZTA). The paper establishes a series of best practices in developing a ZTA, stating that:

“When balanced with existing cybersecurity policies and guidance, identity and access management, continuous monitoring, and best practices, a ZTA can protect against common threats and improve an organization’s security posture by using a managed risk approach.”

For zero trust to work, there must be an understanding of the notion of the ecosystem, people and devices are a key part of this. Security awareness also encompasses people and devices as an intrinsic part of the overlying security framework in an organization. As such, security awareness augments zero trust, playing a fundamental role in ensuring the tenets of a ZTA are upheld. 

Security awareness, zero trust and the end of black-hat SEO

The comment from NIST’s SP 800-207 on developing a zero-trust architecture is highly relevant to black-hat SEO prevention. ZTA is really about being security-aware across the entire ecosystem of users, devices, networks and the data that flows between and within this ecosystem. Negative SEO is just one more breach that impacts data security, integrity and maintenance — in this case, the manipulation of existing data in the form of posts, pages and other web elements.

Security awareness has evolved into an area that impacts and touches all parts of the security sphere. And like charity, security awareness begins at home. Ensuring that employees, including administrators and other privileged roles in an organization, understand the implications of spearphishing and credential hygiene, goes way beyond fundamental housekeeping in a security policy. 

Security awareness is part of a ZTA. The principles of zero trust, such as robust authentication and password hygiene, are augmented and strengthened by a security aware workforce. Using a zero-trust approach to security can help to keep a website clean and protect not only the website, but the company’s reputation as well.



CVE-2020-25213, CVE

Credential Stuffing in the Media Industry, Akamai

Five Steps To A Zero Trust Network, Forrester

SP 800-207, NIST

Posted: February 8, 2021
Susan Morrow
View Profile

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure. Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.