SEO spam is used by attackers to improve the ranking of their websites on search engines such as Google.
SEO spam is used by attackers to improve the ranking of their websites on search engines such as Google.

After recently helping a client rid their website of SEO spam, security company Sucuri issued a post on Thursday detailing how the sneaky type of attack – known as SEO poisoning – can cause some significant issues, especially for legitimate website operators.

SEO stands for search engine optimization and is essentially a number of techniques operators can use to improve the rank of their websites by search engines such as Google and Bing, Daniel Cid, CTO of Sucuri, told SCMagazine.com in a Friday email correspondence.

Good techniques include producing high-quality content, using good subjects and having a sitemap, Cid said, explaining that there are also several nefarious SEO techniques that generally leverage illegal tactics to improve website rank – one of which is SEO spam.

“For example, an attacker, ‘A,' compromises a website, ‘W,' and inserts links to his own site, ‘S,' that he wants to improve the ranking,” Cid said. “If the attacker manages to compromise many websites, Google will see hundreds of links back to site ‘S' and rank it better for keywords.”

There are numerous ways an attacker can compromise a website, but generally it involves leveraging known vulnerabilities in CMS packages – such as WordPress or Joomla – and plugins, Cid said. Most of the work is automated too, so attackers can scan the internet looking for vulnerable sites to compromise, he added.

“It really depends on the CMS[, but] most of the time, the links are added to the site footer, index or header files,” Cid said. “These would be the best places to start a search. And no, normal visitors will not see the links and they do not need to click on them at all. That's why it is so powerful and hard to detect. Generally the spam SEO code has a conditional check that only displays the spam links if the user agent (browser) matches “Googlebot,” “Bingbot,” and other search engine crawlers.”

So to identify that a website is compromised, Sucuri compares the results of a normal visitor against the results displayed when the company fakes itself as a search engine bot, Cid said. If there are more links as a search engine bot, SEO spam is generally the issue, he explained.

Remediation involves eliminating the bad links – not doing so will poison search engine results, causing bad sites to be ranked higher than good sites, Cid said. Additionally, SEO poisoning can negatively affect brand reputation, can lead to reduced sales and traffic, and can even cause a legitimate website to be blacklisted by search engines, the post indicates.

A SEO poisoning attack is also part of a bigger problem because it means that a website was able to be compromised, possibly due to a vulnerability, Cid said. He recommended upgrading all CMS software and plugins, changing all passwords, and analyzing logs looking for entry points to see how the site was compromised in the first place.