SEO poisoning (search engine poisoning) is a tactic used by cybercriminals to manipulate search results and the tactic is being increasingly used to gain access to healthcare networks. In contrast to phishing, where contact is made with employees via email, SMS messages, or instant messaging services, SEO poisoning is a web-based attack and targets individuals as they browse the Internet. The aim of these attacks is to drive traffic to malicious websites where credentials are stolen or malware is downloaded, both of which can provide initial access to devices and accounts allowing the theft of patient data and follow-on attacks.
SEO poisoning is used to get malicious web content to appear prominently in search engine listings. Search engines use automated crawlers to assess new web content, which is indexed and ranked based on the relevance of the content. The ranking determines where the result appears in the listings for specific search queries, and the more relevant and trusted the content is, the higher the page will appear in the search results.
While search engines use complex algorithms to rank web content, they can be tricked. Malicious actors use a variety of techniques to do this to get their web pages to appear high up in the listings for specific search terms. Those search terms could be high-traffic terms that ensure a significant amount of traffic is sent to a web page, or lower-volume search queries that provide more targeted traffic, such as business or healthcare-related searches.
The relevance of a website is manipulated using tactics such as keyword stuffing, where specific keywords are crammed into the page content or meta tags to make search engines believe that the content is very relevant to specific search terms. Cloaking is also used, where search engine crawlers are provided with different content to the content viewed by users. Click rates can be generated by bots to make a site appear more popular, or private link networks can be used to increase backlinks to a website to improve the reputation of the site or a specific web page.
The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) recently issued a warning to the healthcare and public health (HPH) sector about SEO poisoning, which HC3 says has been used recently and frequently in attacks on the HPH sector, especially for delivering malware. These attacks can lead to the theft of protected health information, credential theft, and malware and ransomware attacks, and attacks on the HPH sector are increasing. Another tactic used in web-based attacks is typosquatting. This tactic involves registering domain names that include deliberate typos, such as transposed letters or common misspellings. These sites target individuals who make spelling mistakes when typing domain names into their web browsers.
While malware delivery via phishing emails is relatively easy to block, SEO poisoning is more difficult, but there are easy steps that healthcare organizations can take to reduce risk. Web filtering solutions are an effective measure as they can be used to control the content that healthcare workers can access over the Internet. Web filters are updated with threat intelligence and will block all known malicious websites, preventing a connection from being made to a website/web page if a user clicks a link in the search engine listings. Web filters can also block certain file downloads from the Internet, such as executable files, which are used to install malware. Malicious URLs can also be detected through indicators of compromise (IoC) lists, which provide information on suspicious website behavior and anomalous search engine rankings.
Security awareness training should be provided to the workforce for HIPAA Security Rule compliance. HPH sector organizations should ensure that SEO poisoning is covered in the training in addition to other attack methods such as phishing and business email compromise (BEC). Healthcare organizations should also consider using digital monitoring tools and typosquatting detection procedures to block web-based attacks.