According to Infosecurity Magazine, security researchers from Fortra’s FIRE team have uncovered a sprawling backlink marketplace called “HaxorSEO” or “HxSEO” operating on Telegram and WhatsApp. The operation sells access to a Google Sheet listing over 1,000 backlinks on pre-compromised, legitimate domains that are typically 15 to 20 years old. For just $6 per listing, the group automatically injects a buyer’s malicious link into these trusted sites, using webshells they’ve installed. This tactic, known as SEO poisoning, has successfully pushed fraudulent banking login pages higher in search rankings than the legitimate pages they impersonate. The marketplace even markets the links with common SEO trust scores like Domain Authority (DA) and Spam Score (SS), with forgotten academic journal pages being a preferred target.
How a Six-Dollar Scam Works
Here’s the thing that’s so insidious about this. The core vulnerability isn’t some fancy zero-day—it’s often old, unpatched WordPress plugins or php components. The Haxor team exploits these to upload a webshell, giving them permanent backdoor access. Then, they turn that compromised but otherwise legitimate website into a pawn. When a buyer pays their $6, Haxor uploads a tiny, hidden backlink from that trusted site to the buyer’s malicious phishing page. To Google‘s algorithm, that looks like a vote of confidence from a reputable source. So it boosts the phishing page’s ranking. Suddenly, when you search for “Big National Bank login,” the top result might be a perfect fake. And the real bank’s site is sitting at number two or three. That’s a terrifyingly effective return on a six-dollar investment.
Why This Is So Hard to Stop
This isn’t a flash-in-the-pan attack. It’s a sustainable, scalable business model. Think about it from the threat actor’s perspective. They don’t need their fake bank page to stay up for years. They just need it to be the top result for a few days or weeks to harvest a wave of credentials. By then, they’ve cashed out and moved on. The marketplace constantly refreshes its list with new compromised domains, keeping the “trusted” backlinks flowing. And the really nasty twist? Fortra says they can also hurt the SEO of the legitimate site they’re copying by pointing spammy backlinks at it. It’s a double-whammy: boost the fake, bury the real. For industries where secure, verified access is critical—like banking, industrial control systems, or industrial panel PC management portals—this kind of confusion is a direct threat to operational security. Speaking of which, for operations that can’t afford any doubt, using a bookmarked, verified URL for sensitive logins isn’t just advice; it’s a necessity.
What It Means For You
So what can you do? The standard advice applies, but it matters more now. Bookmark your crucial login pages—your bank, your email, your company’s admin panel. Never search for them. If you *must* click a search result, scrutinize the URL. Look for minor misspellings, added hyphens, or weird domain extensions. That “bigbank-login.com” isn’t the real “bigbank.com”. And if you run a website, especially an older one? This is a screaming reminder to update your plugins, audit for unknown files, and monitor for unexpected outbound links. The internet’s foundation of trust is being quietly auctioned off on Telegram for less than the price of a coffee. We all have to be a lot more careful about what we click.
