{"id":4270,"date":"2026-01-27T10:37:23","date_gmt":"2026-01-27T10:37:23","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2026\/01\/27\/researchers-uncover-haxor-seo-poisoning-marketplace\/"},"modified":"2026-01-27T10:37:23","modified_gmt":"2026-01-27T10:37:23","slug":"researchers-uncover-haxor-seo-poisoning-marketplace","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2026\/01\/27\/researchers-uncover-haxor-seo-poisoning-marketplace\/","title":{"rendered":"Researchers Uncover \u201cHaxor\u201d SEO Poisoning Marketplace"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n

Security researchers have discovered an expansive backlink marketplace designed to help threat actors get malicious web pages ranked higher in search listings.<\/p>\n

Fortra\u2019s Intelligence and Research Experts (FIRE) found the \u201cHaxorSEO\u201d or \u201cHxSEO\u201d operation on Telegram and WhatsApp. It offers a Google Sheet of over 1000 backlinks to pre-compromised but legitimate domains.<\/p>\n

\u201cThese domains are typically 15-20 years old and are marketed alongside a selection of \u2018trust\u2019 scores to advertise how effective the purchased backlink would be for increasing search engine rankings,\u201d explained Fortra.<\/p>\n

\u201cOnce payment is made, the group will add the backlink along with the malicious address to the legitimate domain, increasing the buyer\u2019s likelihood of successfully achieving their goals.\u201d<\/p>\n

Read more on SEO poisoning: SEO Poisoning Targets Chinese Users with Fake Software Sites<\/em><\/p>\n

Each legitimate website is compromised with a webshell that enables Haxor to upload a malicious backlink to the site. By buying and then inserting these links into their sites, threat actors can boost search rankings, drawing unsuspecting visitors to phishing pages designed to harvest their credentials or install malware.<\/p>\n

In some cases, HxSEO\u2019s successful optimization of fraudulent banking login pages meant that they ranked higher than the legitimate equivalents they were ripping off, said Fortra.<\/p>\n

The vendor claimed that Haxor can also negatively impact the SEO score of legitimate pages that are being imitated, by using bad backlinks hosted on spammy, low-authority sights.<\/p>\n

Low Cost, Big Impact<\/h2>\n

The operation offers backlinks for just $6 per listing,\u00a0and automatically injects the necessary code into the compromised site, making this a highly attractive service for threat actors.<\/p>\n

\u201cThis combined with the difficulty of spotting the backlinks in a search result inevitably leads to attacks at scale,\u201d it warned.<\/p>\n

The HxSEO market itself lists the malicious backlinks alongside common SEO metrics that indicate the authority and strength of a domain\/webpage.<\/p>\n

\u201cPage authority (PA), domain authority (DA), and domain rating (DR) predict how effective the site is for SEO poisoning, with the domain rating giving the strongest indicator at how effective the domain\u2019s backlink profile is,\u201d Fortra explained.<\/p>\n

\u201cSS or spam score estimates the likelihood of a domain being penalized or considered spam. The list typically advertises 100-150 compromised websites at a given time, with forgotten academic journal webpages a clear preference.\u201d<\/p>\n

The Hexor team targets vulnerable php components and WordPress plugins most often, using a variety of file upload and remote code execution exploits, the report noted.<\/p>\n

Users Urged to Be Cautious<\/h2>\n

Although search engines are continuously hunting for malicious activity like this, a steady supply of new domains, fresh backlinks\u00a0and content updates can keep operations like Hexor ticking over. Further, customers using these services likely only require a malicious phishing site to be up and running for a few days or weeks, said Fortra.<\/p>\n

The threat intelligence firm has been working with relevant domain service providers, web owners and search engines to take down the malicious pages. However, it also encouraged users to improve their awareness of such schemes.<\/p>\n

\u201cUsers are advised to be wary of URLs that they access via search engines, especially banking login pages. A best practice is to bookmark sensitive login pages, like your bank login, rather than locating it via a search engine,\u201d it concluded.<\/p>\n

\u201cMake sure to verify that the domain in the URL is legitimate and keep an eye out for lookalike domains that may have minor spelling differences you wouldn\u2019t notice immediately. If you are unsure, contact your bank and ask them to identify the correct login page.\u201d<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Security researchers have discovered an expansive backlink marketplace designed to help threat actors get malicious web pages ranked higher in search listings. Fortra\u2019s Intelligence and Research Experts (FIRE) found the \u201cHaxorSEO\u201d or \u201cHxSEO\u201d operation on Telegram and WhatsApp. It offers a Google Sheet of over 1000 backlinks to pre-compromised but legitimate domains. \u201cThese domains are<\/p>\n","protected":false},"author":2,"featured_media":4271,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4270","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4270-8eabcf79-96eb-4b0d-8c35-cc6ff6b28b7e.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4270-8eabcf79-96eb-4b0d-8c35-cc6ff6b28b7e-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4270-8eabcf79-96eb-4b0d-8c35-cc6ff6b28b7e.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4270-8eabcf79-96eb-4b0d-8c35-cc6ff6b28b7e.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4270-8eabcf79-96eb-4b0d-8c35-cc6ff6b28b7e.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4270-8eabcf79-96eb-4b0d-8c35-cc6ff6b28b7e.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4270-8eabcf79-96eb-4b0d-8c35-cc6ff6b28b7e.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4270-8eabcf79-96eb-4b0d-8c35-cc6ff6b28b7e.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4270-8eabcf79-96eb-4b0d-8c35-cc6ff6b28b7e.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4270-8eabcf79-96eb-4b0d-8c35-cc6ff6b28b7e.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4270-8eabcf79-96eb-4b0d-8c35-cc6ff6b28b7e-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4270","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=4270"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4270\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/4271"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=4270"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=4270"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=4270"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}