How Fraudsters Are Poisoning Search Results to Promote Phishing Sites

Key Data
Netcraft’s research has uncovered an organized SEO poisoning operation using a platform known as Hacklink, a marketplace that enables cybercriminals to purchase access to thousands of compromised websites and inject malicious code designed to manipulate search engine algorithms. Scammers use Hacklink control panels to insert links to phishing or illicit websites into the source code of legitimate but compromised domains. These links are tailored with anchor text to specific keywords so that when users search for relevant terms—such as gambling-related phrases—they are served search results that include, and sometimes prioritize, the attacker-controlled websites.

The injected content is subtle, often invisible to site owners or casual visitors, but highly effective at influencing Google’s PageRank system. Sites are chosen by threat actors based on their reputational value, with links from .gov, .edu, and Country Code TLDs used to boost the credibility of their malicious content. These ccTLDs are desirable in SEO as Google assumes that the content of such a domain is more relevant than one without and prioritizes it for delivery in a search from that specific country. Therefore, the malicious site is effectively inheriting some of that favorable ranking just by linking to it. While legitimate SEO is a cornerstone of digital marketing, the techniques used here cross into fraud, with fake pharmacies, adult content, and phishing pages all benefiting from artificially elevated visibility. Particularly concerning is the targeting of online casinos, with organized groups like “Neon SEO Academy” and “SEOLink” offering services to manipulate SEO rankings for phishing and fraud.

To read the complete article see: Netcraft