Phishing goes prime time: Hackers use trusted sites to hijack search rankings

Cybercriminals are exploiting a black-market search engine optimization (SEO) platform called Hacklink to hijack search engine results and promote phishing and other unscrupulous sites.

According to a Netcraft research, the clandestine marketplace allows scammers to purchase access to high-reputation websites and stealthily plant links that boost the visibility of attacker-controlled pages in search results, especially for keywords linked to gambling and other illicit niches.

“Hacklink is a sort of hybrid platform — it’s part black market, part control panel,” said Andrew Sebborn, cybercrime analyst at Netcraft. “On one hand, it sells access to real, legitimate websites that have been compromised. On the other hand, it gives buyers a way to manage and modify those sites through a built-in panel.”

Victim sites often remain unaware, as the maliciously injected content is invisible to users but detectable by search engine algorithms—a loophole cybercriminals are actively exploiting.

Injecting phishing links into reputable sites

According to Netcraft, the manipulation works by embedding keyword-optimized links into the JavaScript code of .gov,.edu, and country-specific domains, which Google’s page-ranking algorithm treats as trustworthy. This tricks the system into elevating scam sites above authentic ones in search listings.

Once access is purchased, attackers can insert their own content, such as phishing redirects or SEO-optimized links to fraudulent sites, which can point to reputable domains, like government or business sites, to boost credibility in search results, Sebborn added.

“This research shows cybercriminals are getting smarter by hijacking trusted sites to push bad links right to the top of search results, tricking users into clicking,” said J Stephen Kowski, Field CTO at SlashNext Email Security. “Organizations need to watch for weird changes in their search rankings and check their backlinks for anything fishy that could point to a bigger problem.”

Sebborn clarified that the trick isn’t necessarily about getting people to click those injected links directly, but about boosting the visibility of scam sites. Even though people might not be clicking on the links on the compromised sites themselves, they’re more likely to see and visit the phishing pages because those pages are now appearing at the top of search results.

Netcraft has adjusted its detection system to flag a number of sites that have been compromised via Hacklink. Available to Netcraft partners and customers, the sites will be visible in Netcraft’s malicious site feeds under the “defaced” category.

An organized operation currently limited to Turkey

Hacklink is currently letting cybercriminals browse and buy access to thousands of hacked websites, with listings costing as little as $1 per unit, and .gov or high-authority domains fetching even more.

The operation appears to be highly organized, with groups like “Neon SEO Academy” and “SEOLink” offering illicit SEO services for phishing and online casino fraud. With search engine providers still in the dark about it, the operation has taken root in Turkey, already boosting illicit businesses there.

“So far, most of the activity seems to be centered around the Turkish market, primarily in online gambling and escort services,” Sebborn added. “As for the search engines, there’s no clear indication yet that they’ve been notified about these campaigns or how they’ve responded. At this point, there doesn’t seem to be a public effort or statement from them addressing this type of ranking abuse.”

Chris Gray, Field CTO at Deepwatch, believes SEO poisoning operations, such as Hacklink, will bolster Phishing and SMShing campaigns all over. “Estimates say that there will be over a trillion phishing emails sent this year, and these attacks are expected to be involved in ~36% of all data breaches,” Gray added. “SEO poisoning doesn’t necessarily mean that these attacks will be more successful, but it does mean that even legitimate communications are more likely to contain malicious links.”

A stealthy, hard-to-detect operation

Sebborn pointed out that the operation is highly evasive and employs a stealthy form of ‘cloaking’ where phishing content is displayed only under specific conditions—such as visits from certain IP addresses arriving via Google search. In cases Netcraft observed, the same URLs would appear harmless when accessed directly or through a proxy, making the malicious behavior difficult to detect using standard security tools or manual inspection.

“This kind of abuse is hard to catch if you’re not looking for it,” Sebborn added. “Site owners should definitely make a habit of checking their websites for strange or unauthorized links, especially if they’re running older software or aren’t regularly updating their systems.” Gray believes strengthening the usual anti-phishing efforts might still help. “Honestly, you’ve just got to take a page from the Phishing Handbook and double down on it,” he said. “They have to be cautious about URLs before clicking on them. Awareness is key–they need to be aware of current phishing campaigns and use strong authentication. Employee phishing awareness training is still very critical.”