According to Fraser Howard, a researcher with Sophos, back in October of 2009, his colleagues wrote about how the attackers were using topics of an educational theme, designed to trap students and teachers searching for information and resources.
These very same subtle tactics are still working today, he says, adding that Sophos' own products "have has reached the heady heights of being SEO-worthy.
"Yesterday afternoon I noticed a poisoned term which made me chuckle. Incoming data revealed a Mal/SEORed-A detection on an SEO pages constructed by one of the recent kits we have been tracking. Looking at the URL reveals the topic the user was searching for:
hxxp://[removed]/ecd.php?q=ws1000-appliance&page=7
The `WS1000 appliance' search term refers to one of the Sophos web appliance (SWA) models! So a user searching for information on our web appliances was thankfully sitting behind one of them, enabling us to thwart the attack by blocking the initial redirect as Mal/SEORed-A", he says in his latest security blog.
Howard asserts that, if the user were not already a customer of his firm, they would have been subjected to the usual scareware onslaught, courtesy of a URL redirect.
Irony aside, the Sophos researcher says this simply reflects how effective blackhat SEO attacks actually are.
So what can users do to protect themselves?
Clearly, he notes, being sensible or careful with what you search for is no use.
Users, says Howard, need to take care to review the links provided by the search engines, and think before they click, as well as ensure the filtering options provided by your chosen search engine are enabled.
"Most importantly, ensure you have layered protection in place, with effective content scanning and URL filtering focused on blocking such attacks at multiple levels", he explained.