What they do in the Shadow SEO: An Underground SEO from Russia

Category: Adversary Intelligence	Industry: Multiple	Country: Global	Source*: E4

Executive Summary

THREAT	IMPACT	MITIGATION
SEO and website ranking services advertised for sale. Services for identity reinvention are also available.	Increased phishing sites and impersonation attempts. Possibility of nefarious activities like blackmailing, identity theft, etc.	Monitor unusual traffic on mirror/clone sites. Identify and report phishing domains.

CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising the services for search engine optimization (SEO) and website ranking under the name of ‘Shadow SEO’, on a cybercrime forum.
These services can be used by phishing websites to rank highly in search results, make themselves seem more credible to victims, and collect sensitive data.
Similar tactics have previously been observed in phishing campaigns against companies such as Ola Electric and in scam campaigns such as the Aadhar Printing Scams.

SEO services are offered primarily for Google and Yandex search engines.
CloudSEK’s researchers found the threat group’s PR site which is currently not operational.
Actor is based in Russia and goes by the pseudonym "Dark Committee."

The complete list of services advertised on the website is shown in the image below.

The group is offering the following additional services:
- Service to send out 5,000 spam emails on a daily basis
- Website installation service to work with Hypothetical Reference Digital Path (HRDP) and HVNC (Hidden Virtual Network Computing) technologies
For those who want to entirely change their identities in order to emigrate from the country or for other illegal purposes, the group also offers the following services:
- Online services - developing a new identity for online purchases
- Offline services - creating a new identity with the full package of accompanying documents that will be visible across all existing bases. It will be possible to register immovable and movable property on the new identity.

Threat Actor Profiling
Active since	June 2022
Reputation	Low (Few complaints and concerns against threat actor on the forum)
Current Status	Active
History	Not interested in any one-time collaboration attempts and previously involved in compromising entities in the USA, Germany, and Australia.
Point of Contact	Jabber and Vipole
Rating	E4 (E: Unreliable 4: Doubtful)

Impact

Mitigation

The SEO services can be exploited for improved phishing sites that help cyber criminals exfiltrate sensitive information from unsuspecting victims.
Threat actors can use the harvested information to sign up for documents, and to impersonate the compromised victim.
Compromised information can be leveraged for account signups and email phishing.

Monitor for unusual traffic on mirror/clone sites of prominent institutions.
It is recommended to identify and report domains impersonating a company’s name, offerings, and trademarks.
Monitor for suspicious logins on platforms, where breached credentials were used.
Create awareness amongst the common man to scrutinize and correctly differentiate an authentic website from its phishing counterpart.