When was the last time you searched Google for a store’s phone number or business hours? For most of us, it’s almost daily. It’s so convenient that it has become second-nature. However, what if I told you that search results are quickly becoming the next domain for fraud attacks, and that convenience could result in your information or credentials being compromised?
It’s a real threat; and while it’s not as well-known as phishing or ransomware, fraudsters are increasingly “poisoning” SEO results knowing that many of us are mobile-first consumers.
How do poisoned SEO attacks work?
Perpetrators of this scam use the Internet to push false information to the top of search results. A common way to accomplish this sort of “SEO poisoning” is to seed the false information throughout legitimate web pages, social media posts, online help forums and media comment sections (think back to all of those weird, non-sequitur replies you’ve seen), using keywords known to generate search traffic.
This effort can be combined with other tricks, such as misrepresenting a fraud page’s SEO value to search crawlers, buying fake back-links and clicks, or even employing a botnet to execute all of these tasks, which are meant to push information into the top results. Phishers have used these tactics to insert as many malicious links as possible to help execute “watering-hole” malware attacks.
Fraud schemes are particularly prevalent during the holiday shopping season. Many criminals will set up malicious sites that rank highly in search results and lure consumers to click on them. Often these rogue sites are laced with drive-by malware.
One recent example tracked by RSA involves the publishing of fake customer care phone numbers alongside legitimate physical locations on Google Maps. Customers searching for business contact information are instead directed to a phone number operated by the fraudster.
This scheme has proven to be highly effective as it is very common for consumers to search Google for contact information or location. There is little to no suspicion of fraudulent conduct, and the absolute trust in search results can cause victims to provide information that they may otherwise be hesitant to do.
They’re Not Calling You … You’re Calling Them.
Linking to a fraudulent phone number instead of websites is a kind of reverse “vishing” (or voice phishing) attack. Fraudsters benefit from this reverse vishing in a couple of ways:
- While not as easy to create as a URL, email address or even a social media account, phone numbers can be bought, sold and transferred easily and discreetly — especially so if purchased through any of the abundant illicit providers in the cybercriminal community.
- Using a phone number might be an effort to hamper any rapid attribution and takedown efforts. Oversight and takedown requirements, authority and processes for phone numbers are different from other electronic media in most countries.
In the U.S., for example, while the investigation and takedown of a fraudulent site can often be accomplished at the service provider level (in cooperation with law enforcement), claims investigation and action against phone numbers is handled by the Federal Communications Commission (FCC), a civilian watchdog agency with fewer resources and a different mandate and pace than its private-sector counterparts.
What Can You Do?
The combination and nuance of attacks like reverse vishing and poisoned SEO are notable. Both are calculated tactics meant to prey on human trust. How can consumers protect themselves against this updated scam? While vigilance and knowledge remain the best bet to avoid becoming a victim, there are a few things to keep in mind:
- Search for Warning Signs
The easiest and most secure way to find contact information for your bank, phone company or any other service provider is by looking at official correspondence from that organization. If you do search for a number online, be sure to scrutinize the content surrounding the numbers that appear in the results. Watch for suspicious signs such as the number combined with a message, surrounded by gibberish text or seemingly unrelated subjects.
- Don’t Share Info with Anyone
Most of us have been conditioned to keep our personal information safe, such as answers to security questions, PIN numbers and passwords, but even even the savviest consumer can fall victim. The truth is that, most organizations will never ask you for this type of information over-the-phone.
- Call for Help
If you suspect a scam involving your financial information, contact your bank immediately. It is also encouraged to report any potential scam to the appropriate law enforcement authorities. For example, in the U.S., the FBI’s Internet Crime Complaint Center (IC3) provides a very easy process for victims to file a complaint right on their home page.
As always, the key ingredient in any cybersecurity effort is awareness and education. Your identity and personal information is very valuable to cybercriminals, which is why you must be constantly vigilant as fraud risks grow. Complacency in the face of constant exposure to cyber threats like this is akin to handing over your cash to the criminals.
(*) RSA is a sponsor of The Security Ledger. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.