| ID | Name |
|---|---|
| T1608.001 | Upload Malware |
| T1608.002 | Upload Tool |
| T1608.003 | Install Digital Certificate |
| T1608.004 | Drive-by Target |
| T1608.005 | Link Target |
| T1608.006 | SEO Poisoning |
Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.[1][2]
To help facilitate Drive-by Compromise, adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as Drive-by Target) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).[3][1]
In addition to internet search engines (such as Google), adversaries may also aim to manipulate specific in-site searches for developer platforms (such as GitHub) to deceive users towards Supply Chain Compromise lures. In-site searches will rank search results according to their own algorithms and metrics such as popularity[4] which may be targeted and gamed by malicious actors.[5]
Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.[2][6]
SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.[3][7]
| ID | Name | Description |
|---|---|---|
| G1020 | Mustard Tempest |
Mustard Tempest has poisoned search engine results to return fake software updates in order to distribute malware.[8][9] |
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0035 | Internet Scan | Response Content |
If infrastructure or patterns in the malicious web content related to SEO poisoning or Drive-by Target have been previously identified, internet scanning may uncover when an adversary has staged web content supporting a strategic web compromise. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on other phases of the adversary lifecycle, such as Drive-by Compromise or Exploitation for Client Execution. |