SEO Poisoning

What Is SEO Poisoning?

SEO poisoning is a cyberattack technique where threat actors manipulate search engine rankings to place malicious or fraudulent content among legitimate search results. Also known as search poisoning, this tactic is a form of social engineering that exploits user trust in top-ranking pages.

By targeting trending search terms or creating content that appears helpful—such as support contact pages or how-to guides—attackers lure users to phishing sites, malware downloads, or fake support portals designed to steal personal information, credentials, or money.

SEO poisoning campaigns are often part of a larger threat strategy aimed at impersonating brands, compromising users, or damaging reputations. These attacks can target consumers, businesses, and even AI systems that scrape or summarize online content.

How Does SEO Poisoning Work?

SEO poisoning relies on manipulating how search engines index and rank content. Threat actors use several tactics to ensure their malicious pages rise to the top of search engine results pages (SERPs):

• Keyword stuffing and trending terms: Malicious writers fill pages with high-volume keywords to game search engine algorithms.
• Use of trusted domains: Threat actors abuse reputable domains (.edu, .gov, .org) or hijack legitimate sites to host malicious content.
• Content mirroring: Cybercriminals repost the same scam content across forums, PDF sharing platforms, and URL dumps (like Pastebin) to boost indexing.
• Q&A format: Content is often structured as a question and answer to mimic authentic support or help resources.

Once indexed, these poisoned results appear legitimate to both users and automated systems like large language models (LLMs), increasing the likelihood of engagement.

What Are the Goals of SEO Poisoning?

The primary objective of SEO poisoning is to drive unsuspecting users to malicious destinations. Common goals include:

• Stealing credentials through phishing forms or fake login pages
• Spreading malware via fake downloads or browser exploits
• Harvesting PII (personally identifiable information) through spoofed support contact forms
• Running scams such as fake tech support hotlines or fraudulent refund pages
• Impersonating brands to damage trust or reputations

For threat actors, SEO poisoning is a scalable, low-cost method to reach wide audiences and automate malicious campaigns.

Examples of SEO Poisoning in Action

SEO poisoning is frequently found during high-interest events, such as tax season, major sporting events, product recalls, or travel disruptions. In recent cases, ZeroFox observed fake customer service phone numbers being surfaced in search results and even AI-generated summaries.

For example, attackers uploaded PDFs containing falsified contact info to university subdomains (e.g., .edu share drives) and reposted them across public forums like Goodreads. These files were then indexed by search engines and scraped by AI tools like Gemini and Copilot, which unknowingly echoed the false information.

Victims calling these fake hotlines are often pressured to share personal data or payment details, while legitimate brands are left managing the fallout.

How SEO Poisoning Targets AI and LLMs

Modern SEO poisoning campaigns are evolving to target large language models (LLMs), which generate answers based on publicly available online data. LLMs often give additional weight to information hosted on trusted top-level domains like .gov and .edu.

By planting falsified information in these environments, often in the form of Q&A-styled PDFs or forum comments, threat actors trick LLMs into treating malicious data as reliable sources. These hallucinated responses can then mislead users who ask AI for support contacts, refund policies, or troubleshooting steps.

The result? AI-generated misinformation that leads users directly into scams.

How to Detect and Prevent SEO Poisoning

For Users:

• Don’t trust top search results blindly and inspect URLs carefully.
• Avoid clicking on links from unfamiliar domains, even if they appear in AI-generated answers.
• When in doubt, go directly to the official site of the brand or service.

For Organizations:

• Monitor for impersonation attempts using brand names and executive identities.
• Audit where and how your support information appears across the web.
• Use threat intelligence and digital risk protection tools to surface poisoned results before they reach customers.
• Report fake content promptly and work with vendors who can facilitate fast takedowns.

Learn more about ZeroFox Digital Risk Protection and how we help global organizations stay protected.