The Dark Side of SEO: Negative SEO Attacks Targeting Businesses in Asia

Posted on by darklabhk

In June 2025, DarkLab discovered unusual search results indexed on a popular Hong Kong online platform. This led to our deep dive into another form of DNS abuse impacting legitimate entities; negative SEO. This form of SEO poisoning is known to be typically conducted by competitors as a means to damage reputation or ‘flood out’ the competition, whilst others leverage the tactic for free marketing to promote their suspicious site.

This blog uncovers ‘how’ and ‘why’ these attacks are in place, what tools – both legitimate and Cybercrime-as-a-Service (CCaaS) – facilitate such attacks, and the scale of impact across Asia. 

Foundations First: Search Engine Optimisation (SEO) and Google’s Crawler

To understand how negative SEO works, it is important first grasp the SEO basics. SEO is the practice of increasing the quality and quantity of traffic to your website through organic search engine results. This includes optimizing your website’s technical structure, content, and off-page factors (e.g., backlinks) to make your website easily understandable and accessible to both users and search engines (e.g., Google, Bing, DuckDuckGo,…).

As an example, referencing Google’s SEO Starter Guide[1], “Google primarily finds pages through links from other pages it already crawled. In many cases, these are other websites that are linking to your pages.” Google discovers content primarily through links and sitemaps, aiming to see pages as a user would, including accessing CSS and JavaScript. Inherently, the more your link is referenced on already indexed sites, the higher the likelihood of Google discovering and indexing your content, thus increasing its visibility and potential ranking in search results. The same applies to other search engines, though we leverage Google as a case study in this blog.

Negative SEO attempts to exploit these mechanisms by creating spammy backlinks, hacking websites to inject malicious code or redirect traffic, spreading misinformation through fake social media profiles, duplicating content to dilute authority, or to weaken competitor sites’ SEO ranking.

Negative SEO in Action

Through our active tracking of DNS-related threats impacting victims in Asia, we observed an interesting case of indecent or ‘fake’ search results indexed by Google. These fake search results corresponded to a Hong Kong retailer, weaponising their in-site search feature given their current configurations allow for the indexing of search results. Whilst our case study primarily focuses on the local retailer, it is worth noting that this abuse impacts any website that enables the indexing of in-site search results. For example, we have observed similar indexing impact other local and regional sites across multiple industry verticals – such as online shops, charitable organisations and real estate firms.

Figure 1: Indexed search results containing external links

As seen above, when searching the site, we observed indexed search results on Google containing unrelated, external links. If you were to click on any of these search results, you would be directed to the retailer site’s built-in search results page, stating that “No relevant result was found”, with the search query as the title. This ultimately results in the indexing of the search result page with the user-controlled content (the “product name”) (e.g.,  “金华怎么找**服务联系方式{小姐预约网址sm4567.vip****}金华找****服务电话√金华找******务√金华找小姐全套按摩一条龙服务√金华找********.2511”) in Google’s search results (see Figure 1).

Figure 2: Visual of sm4567[.]vip

Further perusal of the webpage (sm4567[.]vip) suggests it to be related to adult content; something you would not legitimately find on the retailer’s site. This leads to our further assessment that the search result is fake and not related to the retailer, despite its indexing.

Pivoting further, we observed over 200 similar referrer URLs containing a link to the retailer with the corresponding HTTP request containing their intended “search queries” on their websites. This inherently allows (Google and other search engine) crawlers to follow-through, leading to the indexing of the fake search results. This tactic aims to associate the retailer with inappropriate content, potentially damaging its brand reputation and search ranking. 

Breaking down the 200+ referrer URLs, we observe approximately 50% to be adult-related content, 10% to be gambling-related, 1% to be drug-related – indicating the type of content associated to be highly questionable and potentially damaging to the retailer’s brand reputation and site ranking. We further observed that some domains were generated by Domain Generation Algorithms (DGAs) – a technique leveraged by malware to generate a large number of randomised domain names. Furthermore, we assessed a majority of these sites to represent content farms – websites that generate large volumes of low-quality content, often prioritizing quantity over substance and employing manipulative SEO tactics to attract traffic rather than providing genuine value to users. These content farms were observed to concurrently refer multiple legitimate domains.

Figure 3: Content farms referring multiple regional brands including Hong Kong and Korean brands

Notably, through further analysis we observed repeated mentions of a Telegram group, “Tson888” in the indexed search results. The mentions often include a call-to-action contact TG @tson888 for SEO ranking services and gambling promotion technical support. Through further pivoting, we assessed the Telegram to be related to the active negative SEO campaigns, with victims impacting spanning beyond Hong Kong to Taiwan and Japan.

Figure 4: Malicious site (luw2qt[.]vip) mentioning @tson888 Telegram and Hong Kong retailer
Figure 5: TG @tson888 mentioned on search results of various sites across Taiwan, Japan, and Hong Kong

Exploiting Search Engine Web Crawlers for Malicious Purposes

Through further analysis of the 200+ referrer URLs, it was discovered that the threat actors behind these sites primarily leveraged Googlebot’s[2] crawling behaviour to facilitate the HTTP requests for automated “search results”; effectively weaponizing the crawler to drive traffic to their malicious or spam-laden pages. These manipulated search results, generated through the exploitation of Googlebot, were then indexed by Google, potentially leading to their undeserved appearance in search rankings and negatively impacting the visibility of legitimate websites. The attackers craft URLs that trigger Googlebot to execute specific searches on the retailer’s website. These searches, containing malicious keywords, are then indexed by Google, polluting the retailer’s search results.

Though not observed in this case, malicious actors are also known to deploy fake Googlebots[3], which are programs disguised as legitimate Google crawlers (Googlebot) to access and potentially harm websites. They mimic Googlebot’s user agent string and IP address to bypass security measures and can perform malicious activities such as scraping content. In the context of negative SEO, these fake bots can overload a target website with requests, causing denial-of-service attacks, or scrape and republish content to create duplicate content issues, harming search engine rankings. They can also inject spam links into websites, associating the target with low-quality content and damaging its reputation and search engine visibility.

Logs of referrer URL (bxy.aa66779[.]com) indicating use of Googlebot/2.1:

66.249.68[.]38 - - [31/May/2025:09:36:14 +0800] "OPTIONS /***?keyword=%E8%8B%B1%E5%9B%BB%E7%AB%99%E7%B2%BE%E5%85%BB%E5%8F%B7%E3%80%90TG:aa2352 2%E3%80%91pom7j HTTP/1.1 500 3846 "https://bxy.aa66779[.]com/" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.7103.92 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "66.249.68.38" sn=www[.]****[.]com ut="0.014" uri="/500ServerError.html" request_uri:***/zh/search_a?keyword=keyword=%E8%8B%81%E5%9B%8DB%E7%AB%99%E7%82%BE%E5%85%BB%E5%8F%B7%E3%80%90TG:aa23522%E3%80%91pom7j" upstream_addr="192.168.101[.]170:9001" upstream_status="500" http_referrer="https://bxy.aa66779[.]com/"

It is noted that other web crawlers were further observed, including Yahoo’s Slurp and Baidu’s Baiduspider. For example, the referrer URL (jianlongair[.]com) was observed to use the Baiduspider crawler:

118.166.223[.]69 - - [12/Jun/2025:22:46:03 +0800] "GET /***/zh/search_a?keyword=%E8%B6%B3%E7%90%83%E9%A2%84%E6%B5%8B%E8%BD%AF%E4%BB%B6-%EF%BC%8812399.CC%EF%BC%89-%E8%B6%B3%E7%90%83%E9%A2%84%E6%B5%8B%E8%BD%AF%E4%BB%B6- HTTP/2.0" 400 37835 "hxxp[:]//jianlongair[.]com/" "Mozilla/5.0 (compatible; Baiduspider/2.0; +hxxp[:]//www.baidu[.]com/search/spider.html)" "118.166.223.69,34.36.92.9" sn="www.****.com" ut="-" uri="/***/zh/search_a" location="TW" request_uri="/***/zh/search_a?keyword=%E8%B6%B3%E7%90%83%E9%A2%84%E6%B5%8B%E8%BD%AF%E4%BB%B6-%EF%BC%8812399.CC%EF%BC%89-%E8%B6%B3%E7%90%83%E9%A2%84%E6%B5%8B%E8%BD%AF%E4%BB%B6-" upstream_addr="-" upstream_status="-" http_referrer="hxxp[:]//jianlongair[.]com/" http_cookie="-" request_time="0.453" time_local_with_ms="12/Jun/2025:22:46:03.556 +0800"

Blackhat SEO -as-a-Service

Dark web marketplaces offer a range of blackhat SEO tools and services. These offerings often include automated link-building software for generating spam backlinks, content scraping and spinning tools for creating “unique” content through plagiarism, and keyword stuffing tools for manipulating on-page optimization. More aggressive tactics like negative SEO services, designed to sabotage competitors, and even website hacking tools are also available. This underground market highlights the ongoing battle between search engines and those seeking to manipulate their algorithms for illicit gain, a constant threat that website owners need to be aware of and protect themselves against, especially in competitive online landscapes.

Figure 6: Black / Gray Advertising Campaigns to facilitate malicious advertising (malvertising)
Figure 7: SEO Backlinking tool for sale
Figure 8: Compiled list of 400+ tools useful for SEO poisoning, proxying, and other malicious activities
Figure 9: Providing Optimised SEMRUSH (legitimate marketing tool) Accounts for SEO

Conclusion

Negative SEO poses a serious threat to businesses operating online, given its impact on search engine rankings, online reputation, and potentially, revenue generation. A successful negative SEO campaign can significantly damage a website’s visibility in search results, leading to decreased organic traffic, lost customers, and a tarnished brand image. The financial repercussions can be substantial, especially for businesses heavily reliant on online visibility for sales and lead generation. Moreover, the time and resources required to recover from a negative SEO attack can further strain a business’s operations and budget.

By understanding the tactics employed by malicious actors and implementing the mitigation strategies outlined above, you can significantly reduce your risk and protect your online presence. Staying vigilant and proactive is crucial in the ongoing battle against those seeking to exploit search engine algorithms for illicit gain.

Recommendations

Protecting your business from negative SEO requires a proactive and multi-faceted approach encompassing regular monitoring, robust security measures, and prompt action.

Security Hardening

  • Website Security: To mitigate the risk of negative SEO attacks exploiting your website’s search functionality, implement a mechanism to prevent user-supplied search queries from being directly reflected in search result page titles. Instead, utilise standardised titles for search results that do not incorporate user input, thus hindering the indexing of malicious search queries and associated links by search engine crawlers.
  • Bot Mitigation: Implement strategies to block fake Googlebots and other malicious bots. Verify User-Agents, perform reverse DNS lookups, check IP addresses against Google’s published lists, and analyse log files for suspicious behaviour. Consider rate limiting, CAPTCHAs, and bot management services for advanced protection.
  • Robots.txt Optimization: Configure your robots.txt file to prevent search engines from indexing sensitive content like internal search results pages.
    • Modifying your robots.txt file to block indexed in-site search results (e.g., ​Disallow: /search/) will still be partially indexed.
    • To eliminate these Google search results associating with your site, add a ‘noindex’ tag to the search results page, and unlock from robots.txt so Google can crawl and see these.  

Monitoring and Detection

  • Backlink Monitoring: Regularly audit your backlink profile using tools like Ahrefs, SEMrush, or Google Search Console. Identify and disavow any suspicious or spammy links that could be part of a negative SEO attack.
  • DNS Monitoring: Monitor DNS records for unauthorized changes, paying close attention to A, CNAME, MX, NS, and SOA records. Look for unusual activity such as traffic redirection, slow DNS resolution, or spikes in DNS queries. Implement DNSSEC and enforce strong password policies for your DNS provider accounts.
  • Website Traffic and Rankings: Utilize Google Search Console and other analytics platforms to track website traffic and search rankings. Sudden drops or unusual fluctuations could indicate a negative SEO campaign.
  • Content Monitoring: Regularly review your website content for any unauthorized modifications, injected spam, or other signs of compromise.
  • Social Media Monitoring: Monitor your brand’s social media presence for negative reviews, misinformation campaigns, or other attempts to damage your online reputation.

Response and Recovery

  • Reporting and Legal Recourse: If you suspect a negative SEO attack, report it to Google and other relevant search engines. Consult with legal counsel to explore options for pursuing action against the perpetrators.

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.