Keypoints
- Google’s SGE surfaced spammy sites in AI-generated responses that redirect users through multiple pages before landing on scams.
- Promoted sites frequently share the .online TLD, identical HTML templates, and redirect infrastructure, indicating coordinated SEO poisoning.
- Redirects commonly lead to fake captchas or pages that mimic YouTube to coerce users into allowing browser notifications.
- Allowed browser notifications are then abused to deliver tech-support affiliate ads, fake giveaway scams, and other unwanted content.
- Some redirects push unwanted Chrome extensions that can hijack searches and perform potentially malicious actions.
- Google states it updates anti-spam systems and removed the specific examples, but attackers continually adapt to evade detection.
- Users can mitigate the impact by revoking notification permissions and removing suspicious browser extensions via Chrome settings.
MITRE Techniques
- [T1189] Drive-by Compromise – Scammers use search engine indexing and SEO poisoning to get malicious pages clicked via search results (‘When clicking on the site in the Google search results, visitors will go through a series of redirects until they reach a scam site.’)
- [T1204] User Execution – The scams require user interaction such as clicking links or allowing notifications to trigger unwanted actions (‘they try to trick the visitor into subscribing to browser notifications.’)
- [T1176] Browser Extensions – Attackers push unwanted Chrome extensions that hijack searches and provide persistence (‘some of the redirects pushing unwanted browser extensions that perform search hijacking’)
- [T1036] Masquerading – Scam pages mimic legitimate sites (e.g., YouTube) or show fake captchas to appear trustworthy (‘Spam website mimics YouTube to push notification’)
- [T1056] Input Capture – Giveaway and tech support pages collect personal information or attempt to capture user input (‘These giveaway scams are used to collect your personal information’)
- [T1496] Resource Hijacking – Subscribed browser notifications are used to push persistent spam and ads to the desktop (‘Browser notifications are a common tactic scammers use to send visitors a barrage of unwanted ads directly to the operating system desktop’)
- [T1071] Application Layer Protocol – Scam pages and notification flows use standard web protocols (HTTP/HTTPS) to communicate and deliver payloads (‘the listed sites promoted by SGE … perform redirects’)
Indicators of Compromise
- [TLD] Promoted domains pattern – .online (used by multiple promoted sites)
- [Redirects] Redirect chains to scam landing pages – fake captchas, YouTube-mimic pages
- [Browser notifications] Notification subscription sources – pages prompting “allow notifications” that later deliver spam ads
- [Browser extensions] Unwanted Chrome extensions – search-hijacking extension installs and prompts
- [Scam landing pages] Fraud pages collecting PII – fake Amazon giveaway pages, fake McAfee alert pages
Rewrite the entire article focusing only on the key points related to the technical procedure. Exclude unrelated or non-technical information. Present the rewritten version in a maximum of three well-structured paragraphs that improve clarity, flow, and reader engagement. Use fresh, natural wording and vary the sentence structure so it differs from the original, while preserving all essential technical details and the original meaning.
Search-driven SEO-poisoning campaigns use a small set of reusable HTML templates and the .online TLD to get indexed and then funnel users through redirect chains into scam landing pages. These redirect chains often terminate at fake captchas or pages imitating YouTube, which are designed to prompt users to allow browser notifications or to install browser extensions; once granted, notifications deliver persistent affiliate and tech-support spam, and extensions can provide search-hijacking persistence.
Detection indicators include recurring use of the .online TLD, identical page templates across multiple domains, redirect behavior from initial search result click to final scam landing, and UI elements that request notification permission or extension installation. Operational defenders should log and inspect redirect chains (HTTP 3xx responses and destination URLs), monitor for sudden increases in notification permission grants, and identify hosted pages that mimic major brands or present fake scan/giveaway flows for automated blocking or takedown requests.
Mitigation steps for users and administrators are straightforward: revoke unwanted notification permissions and remove suspicious extensions. In Chrome, open Settings → Content → Notifications, review sites under “Allowed to send notifications,” and remove any untrusted entries; also inspect chrome://extensions and uninstall unknown extensions, clear related cookies/cache, and consider blocking the offending domains via enterprise DNS/web filters. These procedural controls, along with search-index monitoring and coordinated takedown requests, reduce exposure from AI-surfaced SEO poisoning campaigns.