Security researchers have discovered an expansive backlink marketplace designed to help threat actors get malicious web pages ranked higher in search listings.
Fortra’s Intelligence and Research Experts (FIRE) found the “HaxorSEO” or “HxSEO” operation on Telegram and WhatsApp. It offers a Google Sheet of over 1000 backlinks to pre-compromised but legitimate domains.
“These domains are typically 15-20 years old and are marketed alongside a selection of ‘trust’ scores to advertise how effective the purchased backlink would be for increasing search engine rankings,” explained Fortra.
“Once payment is made, the group will add the backlink along with the malicious address to the legitimate domain, increasing the buyer’s likelihood of successfully achieving their goals.”
Read more on SEO poisoning: SEO Poisoning Targets Chinese Users with Fake Software Sites
Each legitimate website is compromised with a webshell that enables Haxor to upload a malicious backlink to the site. By buying and then inserting these links into their sites, threat actors can boost search rankings, drawing unsuspecting visitors to phishing pages designed to harvest their credentials or install malware.
In some cases, HxSEO’s successful optimization of fraudulent banking login pages meant that they ranked higher than the legitimate equivalents they were ripping off, said Fortra.
The vendor claimed that Haxor can also negatively impact the SEO score of legitimate pages that are being imitated, by using bad backlinks hosted on spammy, low-authority sights.
Low Cost, Big Impact
The operation offers backlinks for just $6 per listing, and automatically injects the necessary code into the compromised site, making this a highly attractive service for threat actors.
“This combined with the difficulty of spotting the backlinks in a search result inevitably leads to attacks at scale,” it warned.
The HxSEO market itself lists the malicious backlinks alongside common SEO metrics that indicate the authority and strength of a domain/webpage.
“Page authority (PA), domain authority (DA), and domain rating (DR) predict how effective the site is for SEO poisoning, with the domain rating giving the strongest indicator at how effective the domain’s backlink profile is,” Fortra explained.
“SS or spam score estimates the likelihood of a domain being penalized or considered spam. The list typically advertises 100-150 compromised websites at a given time, with forgotten academic journal webpages a clear preference.”
The Hexor team targets vulnerable php components and Wordpress plugins most often, using a variety of file upload and remote code execution exploits, the report noted.
Users Urged to Be Cautious
Although search engines are continuously hunting for malicious activity like this, a steady supply of new domains, fresh backlinks and content updates can keep operations like Hexor ticking over. Further, customers using these services likely only require a malicious phishing site to be up and running for a few days or weeks, said Fortra.
The threat intelligence firm has been working with relevant domain service providers, web owners and search engines to take down the malicious pages. However, it also encouraged users to improve their awareness of such schemes.
“Users are advised to be wary of URLs that they access via search engines, especially banking login pages. A best practice is to bookmark sensitive login pages, like your bank login, rather than locating it via a search engine,” it concluded.
“Make sure to verify that the domain in the URL is legitimate and keep an eye out for lookalike domains that may have minor spelling differences you wouldn’t notice immediately. If you are unsure, contact your bank and ask them to identify the correct login page.”