Asia | Dark Lab

The Dark Side of SEO: Negative SEO Attacks Targeting Businesses in Asia

In June 2025, DarkLab discovered unusual search results indexed on a popular Hong Kong online platform. This led to our deep dive into another form of DNS abuse impacting legitimate entities; negative SEO. This form of SEO poisoning is known to be typically conducted by competitors as a means to damage reputation or ‘flood out’ the competition, whilst others leverage the tactic for free marketing to promote their suspicious site.

This blog uncovers ‘how’ and ‘why’ these attacks are in place, what tools – both legitimate and Cybercrime-as-a-Service (CCaaS) – facilitate such attacks, and the scale of impact across Asia.

Foundations First: Search Engine Optimisation (SEO) and Google’s Crawler

To understand how negative SEO works, it is important first grasp the SEO basics. SEO is the practice of increasing the quality and quantity of traffic to your website through organic search engine results. This includes optimizing your website’s technical structure, content, and off-page factors (e.g., backlinks) to make your website easily understandable and accessible to both users and search engines (e.g., Google, Bing, DuckDuckGo,…).

As an example, referencing Google’s SEO Starter Guide[1], “Google primarily finds pages through links from other pages it already crawled. In many cases, these are other websites that are linking to your pages.” Google discovers content primarily through links and sitemaps, aiming to see pages as a user would, including accessing CSS and JavaScript. Inherently, the more your link is referenced on already indexed sites, the higher the likelihood of Google discovering and indexing your content, thus increasing its visibility and potential ranking in search results. The same applies to other search engines, though we leverage Google as a case study in this blog.

Negative SEO attempts to exploit these mechanisms by creating spammy backlinks, hacking websites to inject malicious code or redirect traffic, spreading misinformation through fake social media profiles, duplicating content to dilute authority, or to weaken competitor sites’ SEO ranking.

Negative SEO in Action

Through our active tracking of DNS-related threats impacting victims in Asia, we observed an interesting case of indecent or ‘fake’ search results indexed by Google. These fake search results corresponded to a Hong Kong retailer, weaponising their in-site search feature given their current configurations allow for the indexing of search results. Whilst our case study primarily focuses on the local retailer, it is worth noting that this abuse impacts any website that enables the indexing of in-site search results. For example, we have observed similar indexing impact other local and regional sites across multiple industry verticals – such as online shops, charitable organisations and real estate firms.

Figure 1: Indexed search results containing external links

As seen above, when searching the site, we observed indexed search results on Google containing unrelated, external links. If you were to click on any of these search results, you would be directed to the retailer site’s built-in search results page, stating that “No relevant result was found”, with the search query as the title. This ultimately results in the indexing of the search result page with the user-controlled content (the “product name”) (e.g., “金华怎么找**服务联系方式｛小姐预约网址ｓｍ４５６７．ｖｉｐ****｝金华找****服务电话√金华找******务√金华找小姐全套按摩一条龙服务√金华找********.2511”) in Google’s search results (see Figure 1).

Further perusal of the webpage (sm4567[.]vip) suggests it to be related to adult content; something you would not legitimately find on the retailer’s site. This leads to our further assessment that the search result is fake and not related to the retailer, despite its indexing.

Pivoting further, we observed over 200 similar referrer URLs containing a link to the retailer with the corresponding HTTP request containing their intended “search queries” on their websites. This inherently allows (Google and other search engine) crawlers to follow-through, leading to the indexing of the fake search results. This tactic aims to associate the retailer with inappropriate content, potentially damaging its brand reputation and search ranking.

Breaking down the 200+ referrer URLs, we observe approximately 50% to be adult-related content, 10% to be gambling-related, 1% to be drug-related – indicating the type of content associated to be highly questionable and potentially damaging to the retailer’s brand reputation and site ranking. We further observed that some domains were generated by Domain Generation Algorithms (DGAs) – a technique leveraged by malware to generate a large number of randomised domain names. Furthermore, we assessed a majority of these sites to represent content farms – websites that generate large volumes of low-quality content, often prioritizing quantity over substance and employing manipulative SEO tactics to attract traffic rather than providing genuine value to users. These content farms were observed to concurrently refer multiple legitimate domains.

Figure 3: Content farms referring multiple regional brands including Hong Kong and Korean brands

Notably, through further analysis we observed repeated mentions of a Telegram group, “Tson888” in the indexed search results. The mentions often include a call-to-action contact TG @tson888 for SEO ranking services and gambling promotion technical support. Through further pivoting, we assessed the Telegram to be related to the active negative SEO campaigns, with victims impacting spanning beyond Hong Kong to Taiwan and Japan.

Figure 4: Malicious site (luw2qt[.]vip) mentioning @tson888 Telegram and Hong Kong retailer

Figure 5: TG @tson888 mentioned on search results of various sites across Taiwan, Japan, and Hong Kong

Exploiting Search Engine Web Crawlers for Malicious Purposes

Through further analysis of the 200+ referrer URLs, it was discovered that the threat actors behind these sites primarily leveraged Googlebot’s[2] crawling behaviour to facilitate the HTTP requests for automated “search results”; effectively weaponizing the crawler to drive traffic to their malicious or spam-laden pages. These manipulated search results, generated through the exploitation of Googlebot, were then indexed by Google, potentially leading to their undeserved appearance in search rankings and negatively impacting the visibility of legitimate websites. The attackers craft URLs that trigger Googlebot to execute specific searches on the retailer’s website. These searches, containing malicious keywords, are then indexed by Google, polluting the retailer’s search results.

Though not observed in this case, malicious actors are also known to deploy fake Googlebots[3], which are programs disguised as legitimate Google crawlers (Googlebot) to access and potentially harm websites. They mimic Googlebot’s user agent string and IP address to bypass security measures and can perform malicious activities such as scraping content. In the context of negative SEO, these fake bots can overload a target website with requests, causing denial-of-service attacks, or scrape and republish content to create duplicate content issues, harming search engine rankings. They can also inject spam links into websites, associating the target with low-quality content and damaging its reputation and search engine visibility.

Logs of referrer URL (bxy.aa66779[.]com) indicating use of Googlebot/2.1:

66.249.68[.]38 - - [31/May/2025:09:36:14 +0800] "OPTIONS /***?keyword=%E8%8B%B1%E5%9B%BB%E7%AB%99%E7%B2%BE%E5%85%BB%E5%8F%B7%E3%80%90TG:aa2352 2%E3%80%91pom7j HTTP/1.1 500 3846 "https://bxy.aa66779[.]com/" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.7103.92 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "66.249.68.38" sn=www[.]****[.]com ut="0.014" uri="/500ServerError.html" request_uri:***/zh/search_a?keyword=keyword=%E8%8B%81%E5%9B%8DB%E7%AB%99%E7%82%BE%E5%85%BB%E5%8F%B7%E3%80%90TG:aa23522%E3%80%91pom7j" upstream_addr="192.168.101[.]170:9001" upstream_status="500" http_referrer="https://bxy.aa66779[.]com/"

It is noted that other web crawlers were further observed, including Yahoo’s Slurp and Baidu’s Baiduspider. For example, the referrer URL (jianlongair[.]com) was observed to use the Baiduspider crawler:

118.166.223[.]69 - - [12/Jun/2025:22:46:03 +0800] "GET /***/zh/search_a?keyword=%E8%B6%B3%E7%90%83%E9%A2%84%E6%B5%8B%E8%BD%AF%E4%BB%B6-%EF%BC%8812399.CC%EF%BC%89-%E8%B6%B3%E7%90%83%E9%A2%84%E6%B5%8B%E8%BD%AF%E4%BB%B6- HTTP/2.0" 400 37835 "hxxp[:]//jianlongair[.]com/" "Mozilla/5.0 (compatible; Baiduspider/2.0; +hxxp[:]//www.baidu[.]com/search/spider.html)" "118.166.223.69,34.36.92.9" sn="www.****.com" ut="-" uri="/***/zh/search_a" location="TW" request_uri="/***/zh/search_a?keyword=%E8%B6%B3%E7%90%83%E9%A2%84%E6%B5%8B%E8%BD%AF%E4%BB%B6-%EF%BC%8812399.CC%EF%BC%89-%E8%B6%B3%E7%90%83%E9%A2%84%E6%B5%8B%E8%BD%AF%E4%BB%B6-" upstream_addr="-" upstream_status="-" http_referrer="hxxp[:]//jianlongair[.]com/" http_cookie="-" request_time="0.453" time_local_with_ms="12/Jun/2025:22:46:03.556 +0800"

Blackhat SEO -as-a-Service

Dark web marketplaces offer a range of blackhat SEO tools and services. These offerings often include automated link-building software for generating spam backlinks, content scraping and spinning tools for creating “unique” content through plagiarism, and keyword stuffing tools for manipulating on-page optimization. More aggressive tactics like negative SEO services, designed to sabotage competitors, and even website hacking tools are also available. This underground market highlights the ongoing battle between search engines and those seeking to manipulate their algorithms for illicit gain, a constant threat that website owners need to be aware of and protect themselves against, especially in competitive online landscapes.

Figure 6: Black / Gray Advertising Campaigns to facilitate malicious advertising (malvertising)

Figure 8: Compiled list of 400+ tools useful for SEO poisoning, proxying, and other malicious activities

Figure 9: Providing Optimised SEMRUSH (legitimate marketing tool) Accounts for SEO

Conclusion

Negative SEO poses a serious threat to businesses operating online, given its impact on search engine rankings, online reputation, and potentially, revenue generation. A successful negative SEO campaign can significantly damage a website’s visibility in search results, leading to decreased organic traffic, lost customers, and a tarnished brand image. The financial repercussions can be substantial, especially for businesses heavily reliant on online visibility for sales and lead generation. Moreover, the time and resources required to recover from a negative SEO attack can further strain a business’s operations and budget.

By understanding the tactics employed by malicious actors and implementing the mitigation strategies outlined above, you can significantly reduce your risk and protect your online presence. Staying vigilant and proactive is crucial in the ongoing battle against those seeking to exploit search engine algorithms for illicit gain.

Recommendations

Protecting your business from negative SEO requires a proactive and multi-faceted approach encompassing regular monitoring, robust security measures, and prompt action.

Security Hardening

Website Security: To mitigate the risk of negative SEO attacks exploiting your website’s search functionality, implement a mechanism to prevent user-supplied search queries from being directly reflected in search result page titles. Instead, utilise standardised titles for search results that do not incorporate user input, thus hindering the indexing of malicious search queries and associated links by search engine crawlers.

Bot Mitigation: Implement strategies to block fake Googlebots and other malicious bots. Verify User-Agents, perform reverse DNS lookups, check IP addresses against Google’s published lists, and analyse log files for suspicious behaviour. Consider rate limiting, CAPTCHAs, and bot management services for advanced protection.

Robots.txt Optimization: Configure your robots.txt file to prevent search engines from indexing sensitive content like internal search results pages.
- Modifying your robots.txt file to block indexed in-site search results (e.g., Disallow: /search/) will still be partially indexed.
- To eliminate these Google search results associating with your site, add a ‘noindex’ tag to the search results page, and unlock from robots.txt so Google can crawl and see these.

Monitoring and Detection

Backlink Monitoring: Regularly audit your backlink profile using tools like Ahrefs, SEMrush, or Google Search Console. Identify and disavow any suspicious or spammy links that could be part of a negative SEO attack.

DNS Monitoring: Monitor DNS records for unauthorized changes, paying close attention to A, CNAME, MX, NS, and SOA records. Look for unusual activity such as traffic redirection, slow DNS resolution, or spikes in DNS queries. Implement DNSSEC and enforce strong password policies for your DNS provider accounts.

Website Traffic and Rankings: Utilize Google Search Console and other analytics platforms to track website traffic and search rankings. Sudden drops or unusual fluctuations could indicate a negative SEO campaign.

Content Monitoring: Regularly review your website content for any unauthorized modifications, injected spam, or other signs of compromise.

Social Media Monitoring: Monitor your brand’s social media presence for negative reviews, misinformation campaigns, or other attempts to damage your online reputation.

Response and Recovery

Reporting and Legal Recourse: If you suspect a negative SEO attack, report it to Google and other relevant search engines. Consult with legal counsel to explore options for pursuing action against the perpetrators.

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Redirected, Taken Over, & Defaced: Breaking Down the Attacks Abusing Legitimate Hong Kong Websites

Posted on April 22, 2025 by darklabhk

Last week, we shared our observations regarding active attacks weaponising trusted Hong Kong domains to serve users to suspicious content for SEO manipulation purposes. Collectively, we have observed over 70 cases of open redirect attacks, web defacements, and/or subdomain takeovers in Hong Kong between January and April 2025. These attacks, specifically those related to online gambling content, are observed via open-source intelligence to be part of a wider trend impacting victims across the Asia Pacific.

In this part two of the series, we dive into the technical – breaking down how these techniques work, what technologies and vulnerabilities are often involved, and how you can prevent and defend against these threats.

Read Part One here: Redirected, Taken Over, & Defaced: Legitimate Hong Kong Websites Abused to Serve Users to Online Gambling and Adult Content

Open Redirects Weaponise Trusted Hong Kong Websites

This technique is not novel by any means; open redirection first garnered attention in the early 2000s as web applications began incorporating user-controllable data into redirection targets without proper validation. When the input is improperly validated, malicious actors may exploit this vulnerability by crafting URLs that redirect users to malicious sites – leveraging the trust of the original, legitimate (sub)domain.

The typical attack flow is as follows:

Register new domain to host malicious content
Compromise legitimate, trusted domains susceptible to open redirections
Perform SEO manipulation to deliver the webpage, increasing user traffic to their malicious sites
User searches for intended site via a search engine, clicks on link shown in search results, and is redirected to the malicious site

Certain subdomains face higher risk of open redirection abuse. Login, registration, password resets, and checkout pages are a few examples. These pages naturally face higher likelihood of this abuse as redirection is an integral part of their workflows. Ensuring proper validation of redirect URLs on these pages is crucial to prevent potential exploitation.

1. Vulnerable or Misconfigured Web Applications

Threat actors often target PHP-based applications as it is one of the most widely used server-side scripting languages for web development. This allows for the ability to actively scan and exploit vulnerable PHP webapps at scale. Furthermore, PHP applications often suffer from common and easily exploitable misconfigurations that can expose servers to open redirect vulnerabilities. Part of the reason for this is that many PHP applications run on legacy code, that may not have been updated to follow modern security practices.

Case Study #1: Moodle

Notably, we have observed recurrent weaponisation of higher education domains, which we partially attribute to the fact that the widely used Moodle Learning Management System (LMS) platform is built in PHP. In the screenshots below, we highlight a recent case whereby a legitimate higher education website was abused to redirect to an illicit Indonesian online gambling site. This aligns with public reporting of an ongoing campaign targeting PHP servers with PHP backdoors and the GSocket networking tool to serve users to illicit Indonesian gambling sites.[1]

*Figure 2: edu.hk website abused to redirect to Indonesian online gambling site*

*Figure 3: edu.hk website observed to be vulnerable PHP-based Apache server*

*Figure 4: Backup redirection chains to ensure user is served to illicit gambling site*

Case Study #2: WordPress

WordPress is another popular PHP-based application that often faces open redirect vulnerabilities (e.g., CVE-2024-4704 [2]), primarily given the use of third-party plugins and insufficient patch management. Recently, we identified a Hong Kong domain redirecting to YouTube videos. We assessed the likely root cause to be exploitation of known vulnerabilities impacting PHP to allow for redirects. We posit that this redirection to YouTube videos may have been motivated by traffic monetisation; whereby the threat actor may have joined an affiliate program or ad network to generate site visits in return for payment.

*Figure 5: Open redirects weaponising .hk domain to redirect users to YouTube videos*

*Figure 6: WordPress site abused for open redirect due to PHP vulnerabilities*

Case Study #3: Vulnerable WordPress Plugin Leads to Web Defacement

Whilst malicious actors do not need to infiltrate the victim environment to compromise their website for open redirection, in some cases we do observe threat actors gain internal access to compromise – or deface – sites for SEO poisoning. In a defacement attack, malicious actors obtain unauthorised access to a website, garnering the ability to modify the website contents, as well as other malicious activities such as deploying a web shell or establishing connection with their C2 for persistence.

In late 2024, we responded to an incident whereby a financially-motivated threat actor infiltrated the victim’s site via exploitation of the WordPress plugin GutenKit (CVE-2024-9234). The threat actor weaponised the vulnerable plugin to install various PHP-based web shells, facilitating additional access to multiple subdomains within the website’s directory, and uploads of gambling-related web contents.

Based on the language indicators contained within the web shell, as well as the displayed content on the defaced subdomains, we assessed the attack was performed by an Indonesian threat actor. Notably, our analysis of the web shells suggested that the Telegram API bot was embedded within. Notably, the bot is known to facilitate SEO poisoning tactics – such as automation of tasks for an enhanced, efficient gambling experience, and affiliate marketing.[3],[4]

*Figure 7: .hk website defaced to display Indonesian gambling content*

Microsoft IIS Servers (and ASP.NET)

Microsoft Internet Information Services (IIS) servers are frequently abused for open redirections due to their widespread use, configuration complexity, and presence of legacy systems. IIS servers often host ASP.NET applications, which can be susceptible to open redirect attacks if not properly secured. This is due to ASP.NET applications typically using query strings and form data for redirection, which can be manipulated by malicious actors if not validated.

Case Study #4: IIS Server hosting PHP and ASP.NET

PHP and IIS can work together to host PHP applications on Windows servers. This is evidenced below, as we observed multiple subdomains abused to redirect users to adult content sites. We hypothesise the purpose of directing users to these sites is likely to further redirect users to phishing sites to gather personally identifiable information (PII), extort victims via cheating scandals[5], or deliver malware.

*Figure 8: Redirection link abusing PHP web applications to adult content sites*

*Figure 9: Compromised domain observed to be IIS server hosting PHP and ASP.NET applications*

2. Other issues that could lead to open redirection abuse

In addition to vulnerable or misconfigured web applications, there are alternative means in which threat actors may exploit web servers for open redirection.

Content-Security-Policy – “unsafe-allow-redirects”

Content-Security-Policy (CSP) is a HTTP security feature that allows website administrators to specify which sources of content are trusted and can be safely loaded by the browser. Unsafe-allow-redirects in a CSP allows for redirects, including HTTP status codes like 301, 302, 307, and 308, as long as the final destination complies with the CSP. This could potentially permit redirects leading to untrusted or potentially harmful sites, and is a feature that should be used with caution. To safely utilise unsafe-allow-redirects, strict whitelisting is recommended, further supplemented with ongoing monitoring and periodic audits of the overall CSP to adapt to the latest threats and ensure it remains effective.

Case Study #5: unsafe-allow-redirects

In this case, we detected a local government website abused to route traffic to adult content sites. Upon examining the impacted subdomain, we observed the unsafe-allow-redirects feature enabled. As at the time of our investigation, it was observed the redirection links had become invalid and no longer functional. However, the cached redirect meant that the links still displayed in search results – posing potential reputational damage, even if the links were no longer active.

*Figure 10: Compromised domain with unsafe-allow-redirects enabled*

Leaked FTP Credentials

In other cases, threat actors weaponise valid File Transfer Protocol (FTP) credentials to facilitate their open redirection attacks. These credentials are likely obtained via the dark web, and are leveraged to inject JavaScript code into websites. In these cases, the threat actor would possess the ability to perform additional malicious activities such as defacement or potential data exfiltration, given internal access to victim environments. In late 2022, researchers tracked a campaign weaponising legitimate websites intended for East Asian audiences to direct users to adult-themed content.[6]

Subdomain Takeover to Display Indonesian Gambling Sites

In addition to using open redirects, malicious actors have been observed to exploit expired domains for subdomain takeovers to display Indonesian gambling content. A subdomain takeover occurs when a subdomain (e.g., sub.example.com) points to a removed or deleted service, leaving the CNAME record in the Domain Name System (DNS) still active – a “dangling” DNS entry. This creates an opportunity for attackers to provide their own virtual host and host their content.

The typical attack flow is as follows:

Creation: An organisation creates a new subdomain, which is assigned a CNAME record pointing to a service (e.g., sub.example.com pointing to sub-service.provider.com).
Deprovisioning: The service is removed or deleted, but the CNAME records remains existing within the DNS, creating a “dangling” DNS entry.
Discovery: A malicious actor discovers the dangling subdomain via automated scanning tools and/or manual checks.
Takeover: The malicious actor provisions a new service with the same fully qualified domain name (FQDN) as the original (e.g., sub-service.provider.com).
Redirection: Traffic intended for the original subdomain is now redirected to the attacker’s service, allowing them to host their own content.

Case Study #6: Wix Subdomain Takeover

In early 2025, we notified a local education victim regarding the compromise of their subdomain to display Indonesian gambling content. The impacted subdomain was observed to be hosted on Wix and intended for a short-term event-related campaign; hence the eventual deprovisioning of the site.

The threat actor discovered the dangling DNS entry and proceeded to create a new Wix site displaying gambling-related content, and assigned it with the same subdomain as observed in the CNAME record ([redacted].wixdns.net). As a result, any new traffic to the subdomain would be directed to the attacker’s Wix site.

*Figure 12: Wix Site Taken Over to Display Betting Content*

Case Study #7: Azure Subdomain Takeover

In another case, we observed a subdomain pointing to an Azure service which was compromised to also display Indonesian gambling content. The attack flow remains the same; the Azure service (e.g., sub-service.azurewebsites.net) is deleted, leaving the CNAME record dangling. The attacker discovered this, and subsequently provisioned a new Azure service with the same FQDN (sub-service.azurewebsites.net).

*Figure 14: Attacker’s new Azure service*

Subdomains hosted on Azure face a relatively heightened risk of CNAME takeover. This is given the CNAME is unique – making it easier for attackers to take over the dangling DNS, whilst in the case of Wix the CNAME is not unique and attempts may not always result in a successful hijacking. Generally speaking, any services used whereby subdomains can (and are) being easily created/deleted are at risk of leaving dangling DNS records if the appropriate remediation steps are not implemented.

Conclusion

As evidenced through our ongoing monitoring, SEO poisoning attacks show no signs of slowing down. These attacks pose a significant and growing threat, primarily impacting reputational integrity, user trust, and potentially leading to legal consequences. However, the danger extends beyond these immediate risks. Attackers with internal access can escalate their malicious activities, deploying web shells, performing lateral movements, and engaging in extortion through data exfiltration or ransomware.

As these campaigns increase in frequency and sophistication, it is imperative for organisations to stay vigilant and implement robust security measures. Regular security audits and proactive configuration assessments are essential to minimize vulnerability to such attacks. By maintaining a strong security posture, organisations can protect their reputation, uphold user trust, and prevent their brand from being exploited for malicious purposes.

Why are these attacks persisting? Read Part One: Redirected, Taken Over, & Defaced: Legitimate Hong Kong Websites Abused to Serve Users to Online Gambling and Adult Content

Recommendations and Best Practices

Minimise the threat of open redirect abuse:

Prevention	Avoid user-controllable data in URLs where possible. Per OWASP’s CheatSheet to prevent unvalidated redirects and forwards[7]; – Do not allow the URL as user input for the destination. – Implement access controls to restrict unauthorised modifications – such as requiring the user to provide short name, ID, or token which is mapped server-side to a full target URL. – Appropriate checks to validate the supplied value is valid, appropriate for the application, and authorized for the user. – Sanitise input by creating an allowlist of trusted URLs (e.g., hosts or regex). – Ensure all redirects first notify users that they will be redirected to another site, clearly displaying the destination URL, and requiring the user to click a link to confirm. Detailed recommendations for validating and sanitising user-inputs here.[8]
Detection	– Deploy continuous, automated attack surface monitoring to proactively detect, validate (e.g., simulate payload injection), and remediate URLs vulnerable to open redirection attacks. – Use regular expressions (regex) patterns to scan web server logs for suspicious redirection patterns (e.g., URLs that include external domains in redirection parameters). – Implement logging and monitoring of redirection activities; analyse logs for unusual redirection patterns (e.g., frequent redirections to external sites).
Remediation Steps	If your website has fallen victim to open redirection: – Disable the affected URL(s) to prevent further abuse. – Conduct a thorough investigation to identify the vulnerability exploited and extent of the abuse. – Apply necessary patches and hardening measures to secure the website against similar attacks. – Perform an audit to ensure no other websites have been compromised. – Inform users regarding the incident and provide advice on steps taken to secure their data and the website.
Individuals’ User Awareness	Users should perform checks to validate the legitimacy of the website they are providing information to. Recognise suspicious URLs and websites: – Before clicking link, hover over the link to see the actual URL. – Check for spelling or grammatical errors in the domain name and website contents itself (e.g., brand name spelled wrong). – Ensure URL is secure (HTTPS rather than HTTP). – Trust your browser; modern browsers often warn you if you are about to visit a suspicious or known phishing site. – Use online URL scanners, such as VirusTotal, to determine if the website has been flagged as malicious. Other indicators observable from these platforms is the recency of the domain creation (e.g., newly created domains could indicate it to be phishing).
Compliance and Legal Considerations	May involve legal responsibilities related to protecting user data and preventing phishing attacks.

Minimise the threat of subdomain takeovers and defacements:

Prevention	Reduce your “low hanging fruit” through continuous attack surface monitoring to proactively identify and remediate potential entry points; – 24×7 dark web monitoring to swiftly detect and remediate compromised data (e.g., leaked credentials from infostealer dumps). – 24×7 social media listening and brand reputation monitoring to identify mentions or impersonation attempts of your organisation. – Consider an offensive approach to Threat and Vulnerability Management for real-time visibility of your attack surface through autonomous, rapid detection and remediation. – 24×7 young domain monitoring to proactively uncover potential phishing campaigns impersonating your organisation. – Regularly perform security audits and penetration tests to identify and fix misconfigurations in your web applications and servers. Ensure secure coding practices are enforced. – Maintain an up-to-date inventory and establish a prioritised patch management plan to ensure rapid patching for technologies known to be frequently abused by threat actors. – Review and harden Internet-facing applications’ access controls and safeguards (e.g., web application firewall, password policies, multi-factor authentication, etc.). – Regularly audit your DNS records to identify and remove any CNAME records pointing to deprovisioned services. – Enforce a strict policy to standardise the deprovisioning of resources (e.g., ensuring DNS entries are removed once the service is deprovisioned).
Detection	– Consider implementation of real-time monitoring of DNS changes, including updates to CNAME records, to detect and remediate any unauthorised modifications. – Consider implementation of a File Integrity Monitoring (FIM) solution on backend servers (e.g. IIS) to monitor for anomalous file modification activity (e.g. file creation, modification, or deletion). Alternatively, consider the use of canary tokens to detect for defacement attacks. For example; – Webpage monitoring – embed canary tokens within webpages. If any unauthorised modifications are detected, this will trigger an alert. – File integrity monitoring – canary tokens may be placed in critical files on your web server. If these files are accessed or altered, the token will trigger an alert.
Remediation Steps	If your website has fallen victim to a defacement: – Take the affected page offline to prevent further damage. – Conduct a thorough investigation to determine the root cause and extent of the breach. Given unauthorised access to internal environments, ensure to check for other malicious activities such as lateral movement, credential harvesting, deployment of web shells or other malware, etc. – Apply necessary patches and updates to remediate vulnerabilities. Further, refer to and implement the preventive and detective recommendations above. – Restore the webpage from your latest, clean backup. – Notify all relevant stakeholders regarding the incident and the steps being taken to address it.
Compliance and Legal Considerations	May involve legal implications such as complying with data protection regulations, notifying affected users and stakeholders, and maintaining thorough documentation to demonstrate due diligence.

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Redirected, Taken Over, & Defaced: Legitimate Hong Kong Websites Abused to Serve Users to Online Gambling and Adult Content

Posted on April 14, 2025 by darklabhk

Per our continuous monitoring, Dark Lab has tracked multiple open redirection, site takeovers, and defacement cases weaponising Hong Kong organisations’ websites. Typically exploited to serve users to adult content, online gambling, and/or phishing sites, these attacks pose significant risks to organisations – including reputational damage, loss of user trust, and potential legal implications. In cases whereby attackers achieve internal access, organisations may face added risks given malicious actors’ unauthorised access to victims’ internal environments – providing opportunity to further perform malicious activities such as web shell deployment, data exfiltration, and more.

We observe this emerging trend reflected via open-source intelligence, with various reports of Search Engine Optimisation (SEO) manipulation abusing legitimate sites have been weaponised to direct users to Indonesian gambling sites. In addition, we have detected numerous newly registered domains promoting similar gambling content at scale. Per our ongoing young domain monitoring, we observed over 190 newly registered domains containing the keyword ‘slot’ in a single day. This highlights the sheer volume at which Indonesian gambling-themed sites are being distributed for financial gain.

As threat actors continuously adapt their means to attacks, it is crucial that organisations remain wary of the latest threats and harden Internet-facing assets accordingly – particularly those built on technologies frequently targeted by malicious actors.

This blog is part of a two-part series – stayed tuned for our deep dive into the technical details and how you can defend against these emerging threats.

Hong Kong Websites Abused for SEO Poisoning

SEO poisoning, otherwise known as SEO manipulation, is a technique in which malicious actors manipulate search engine rankings to make their attacker-controlled websites appear at the top of search results. Since late 2024, we have observed the emergence of open redirection and web defacement attacks against legitimate Hong Kong websites, weaponizing the trusted site to push online gambling-related and adult content. This further led to our discovery and subsequent monitoring of subdomain takeovers geared towards delivering similar content.

In Q1 2025, we tracked 34 cases of open redirection attacks – whereby malicious actors exploited (sub)domains with insufficient validation to craft URLs that redirect users to their malicious site(s):

*Note: recent tracking indicates heightened targeting against non-commercial sectors*

Similarly, throughout Q1 2025, we tracked 38 cases of web defacements against Hong Kong. Rather than redirecting unsuspecting users to an untrusted, third-party website – the attacker exploits vulnerable web servers to display their malicious content directly on the victim’s site.

Case Study: Hong Kong Not-for-Profit Webpage Compromised for Defacement AND Open Redirection to Online Gambling Content

In mid-March, we observed a case in which a local not-for-profit’s subdomain was compromised to both deface the webpage with Indian online gambling content, and further redirect to their attacker-controlled site hosting similar gambling content. Investigation into the compromised subdomain revealed the likely root cause, being its susceptibility to various known PHP-related vulnerabilities.

*Figure 1: Impacted server observed to be vulnerable to various PHP-related vulnerabilities, allowing for unsafe redirects*

*Figure 2: Defacement of not-for-profit subdomain to serve online gambling and sports betting content*

*Figure 3: Open Redirection of same subdomain to Indian online gambling site*

Why is Asia at the centre of these attacks?

Whilst we focused our tracking on abuse of Hong Kong websites, we have observed multiple recent reports of similar cases indicating an ongoing, regional abuse of websites across the wider Asia Pacific. These campaigns typically redirect users to online gambling or adult content sites. But why?

Indonesian Gambling Sites

Multiple cases we, as well as public reporting observed, served users to online gambling sites intended for the Indonesian audience. We posit this correlates to government efforts to tackle online gambling in the country following the recent October 2024 election, evidenced by their recent implementation of artificial intelligence (AI) to block illegal gambling content.[1],[2],[3]

Despite gambling bans since 1993, Indonesia faces a staggering gambling problem, largely amplified through online gambling. In 2023, the country was reported to experience an approximate loss of $30.7 billion due to online gambling – distributed across four (4) million online gamblers, 11% of which were under the age of twenty (20).[4] We posit that the SEO manipulation observed in the aforementioned cases is a means in which the online gambling operators may counteract their loss of income as a result of law enforcement takedown.

This was (and continues to be) reflected in the case of Philippines’ ban of Philippine Offshore Gaming Operators (POGOs) in late 2023. Following the demise of the POGO industry, POGO operators swiftly repurposed their infrastructure and personnel to conduct various illicit scam activities.[5],[6]In addition to the operators themselves, it was suspected that other opportunistic threat actors jumped on the bandwagon; establishing phishing sites masquerading as online gambling operators to prey on vulnerable individuals. As we projected in our 2025 Cyber Threat Landscape Predictions blog, we anticipate a continued growth in SEO campaigns pushing online gambling phishing sites amidst regional crackdown.[7]

Another angle to consider, reflected in both the cases of Indonesia and the Philippines, is that most online gambling operators are from abroad. Capitalising on the “grey area” of the laws in place, these offshore operators may bypass legal implications whilst still serving their gambling content to Indonesian and Philippine users. We observe discussion on how to achieve financial gain through this ‘loophole’ both through legitimate affiliate marketing platforms[8], and dark web discussions.

*Figure 4: Dark web discussion seeking advice for SEO strategy and Digital Marketing for “Indonesia in which casino and gambling is banned”*

*Figure 5: Dark web discussion providing “iGaming SEO tips for your casino”*

What was further observed throughout our monitoring is the frequent use of Google Tag Manager (GTM) as a driver to further enhance the SEO ranking of these online gambling sites. Operating as a free management platform intended for marketers to manage and configure marketing tools – such as AdSense and Google Analytics – it is no surprise that the actor(s) behind these sites abuse the legitimate platform to expand the visibility of their sites, and by extension increase their likelihood of return on investment.[9]

*Figure 6: Google Tag Manager tag observed embedded within online gambling sites*

Adult Content

The motives behind the regional targeting to redirect users to adult content appears less obvious. Some factors we suspect play a role in Asia’s heightened targeting is the high Internet usage, varied levels of Internet governance in the region, and cultural factors that may restrict access to such content.

We posit a number of potential motivations could be behind these attacks:

SEO Manipulation: By exploiting redirects, malicious actors may manipulate search engine rankings to drive more (inorganic) traffic to their sites.
Traffic Monetisation: By redirecting users to adult content, malicious actors may generate revenue through affiliate programs or ad networks that pay for traffic.
Malware Distribution: The malicious sites disguised as adult content may lead to malware infections (e.g., drive-by downloads, exploit kits, etc.).
Phishing: The adult content site may contain malicious advertising (malvertising) or embedded links, which may further redirect the user to phishing sites intended to collect their sensitive information.
Social Engineering Scams: A previous campaign saw adult content sites further redirect users to dating sites, intended to perform romance scams.[10]

Conclusion

SEO poisoning poses an active and increasing threat. Whilst in most cases, risks are primarily threats to reputational damage, loss of user trust, and potential legal implications, we do observe multiple instances in which attackers may inflict further harm given their internal access to victims. In these cases, they not only may perform open redirects or defacements to present their malicious content, but have the opportunity to deploy web shells, perform lateral movement, and means of extortion such as data exfiltration or ransomware deployment.

The potential follow-on impact is evidenced in the widescale campaign leveraging DragonRank malware to target victims in Asia and Europe for SEO rank manipulation.[11] Whilst the primary goal of the abuses was to drive traffic to malicious sites, the threat actors further leveraged their unauthorised access to perform lateral movement and credential harvesting, likely for use in subsequent attacks.

As these campaigns amplify in speed and scale, it is crucial that organisations remain aware of these threats and implement robust security measures to minimise susceptibility to such attacks. This includes performing regular security audits to assess and uplift configurations. By staying vigilant and proactive, organisations can safeguard their reputation, maintain the trust of their users, and ensure that their brand is not weaponised to facilitate malicious activities.

Stay tuned for our Part Two, as we delve into the technical – breaking down how these techniques work, what vulnerabilities and technologies are often involved, and how you may defend against these ever-present threats!

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.