How SEO Poisoning Pushes Malicious Websites to the Top of Google
By manipulating search rankings, hackers are pushing malicious, legitimate-looking websites to the top of Google search results. This tactic is called search engine optimization (SEO) poisoning.
Recently, cybersecurity analysts at EclecticIQ identified a particularly nasty SEO poisoning campaign that impersonates trusted AI coding tools, including Gemini CLI and Claude Code. The fake websites were designed to look legitimate and trick users into downloading malware.
In this blog, we’ll explain how SEO poisoning works, what you need to know about this recent campaign, and how you can keep your business safe.
What Is SEO Poisoning?
When you search for something on Google, what results do you pay the most attention to? We’re willing to bet its results on the first page – if not the very first result. You aren’t alone either; over 25% of people click the first Google search result.
SEO poisoning takes advantage of that bias.
When a hacker creates a malicious website – typically designed to look like a legitimate one – they use tactics like keyword stuffing and other search ranking manipulation to push it onto the front page of search results. All a victim has to do is search for something on Google and click the malicious link without looking too closely. The higher a website appears in the results, the more likely it is to get clicked.
That’s exactly how this latest campaign works.
Convincing Search Results and Fake AI Tools
It starts with a Google search like “how to install Gemini CLI or Claude Code,” or even something as simple as “Gemini CLI.” These are popular AI coding tools used by millions of software developers, and attackers are clearly taking advantage of AI’s popularity.
The top result looks legitimate, but is actually a nearly identical fake. Just take a look for yourself:
(Source – EclecticIQ)
As you can see, the malicious website is positioned directly above the real Gemini CLI website. Even for a simple query like Gemini CLI,” the attacker’s site is given priority. While not every SEO poisoning attempt will look like this, it goes to show just how difficult these attacks can be to spot.
Those eagle-eyed among you may have already spotted the subtle giveaway: the domain includes “[.]co[.]com.” For those unfamiliar with how legitimate URLs should look, this can easily go unnoticed.
So what happens next?
Once clicked, victims are taken to a fake installation page such as geminicli[.]co[.]com (instead of the real geminicli.com). This fraudulent page is designed to look nearly identical to the real thing. It then prompts users to install the fake Gemini CLI by copying and pasting code directly into their computer – a major red flag. Legitimate software installers would never require users to manually paste commands into PowerShell, Command Prompt, or Terminal during a standard installation. This tactic is commonly referred to as click fix.
According to EclecticIQ, this process installs malware known as an infostealer, which harvests credentials and sensitive data across a wide range of apps, including authentication tokens, login credentials, VPN details, and other files that can give attackers access to a victim’s environment.
Alongside the Gemini CLI SEO poisoning campaign, a similar attack has also targeted Claude Code. This attack follows the same pattern as the Gemini one.
The following malicious domains have been identified by EclecticIQ:
- claude-setup[.]com
- claudecode[.]co[.]com
How to Avoid SEO Poisoning
While SEO poisoning can be difficult to spot, there are several warning signs that can help you avoid clicking the wrong link or proceeding with a malicious download.
- Check the website address carefully: As mentioned earlier, any strange typo, added character, or unusual domain extension (such as “co.com”) is a strong indicator that something is wrong.
- Watch for pop-ups and forced downloads: If you’re bombarded by ads or prompted to download files through pop-ups, exit the site and verify the source before continuing.
- Never copy and paste: If any software or website instructs you to copy and paste commands directly into Command Prompt, PowerShell, or Terminal, stop immediately and contact your IT Department. Legitimate software vendors will rarely, if ever, require this for standard installation.
- Train your employees on cyber awareness: Regular security training helps teams spot suspicious links, fake websites, and social engineering tactics before they become a problem.
Moral of the Story
Just because a website sits at the top of a search page doesn’t mean it’s trustworthy. Hackers are manipulating search engines through SEO poisoning campaigns to push fake websites into the top results.
By paying close attention to what you click and avoiding anything that looks suspicious, you can significantly reduce the risk of falling into these traps.
If you’re looking for help securing your business, we’re here to help.
The 20 MSP provides clients with strong security tools combined with comprehensive cybersecurity awareness training programs. Running is already challenging – cybersecurity shouldn’t be another burden you have to manage on top of everything else. That’s how small mistakes happen, and the wrong links get clicked.
If you’re looking to offload your tech stress and gain real peace of mind, let’s start the conversation.
Stay safe out there!
FAQ
What is SEO poisoning?
SEO poisoning is a cyberattack technique where hackers manipulate search engine rankings to push malicious websites higher in search results so users are more likely to click them.
How can I tell if a website is fake?
Look closely at the URL for misspellings, extra characters, or unusual domain extensions. Fake websites often imitate legitimate brands but use slightly altered web addresses.
Why are hackers impersonating AI tools like Gemini CLI and Claude Code?
AI tools are extremely popular right now, making them attractive targets. Hackers know users are actively searching for these tools and may trust high-ranking search results without verifying them carefully.
Should legitimate software ever ask me to paste code into my computer?
In most normal installation situations, no. If a website asks you to paste commands into PowerShell, Command Prompt, or Terminal without clear verification from a trusted source, treat it as a major red flag and contact IT first.
Want more tips like this?
Subscribe using the form on the right and get our latest insights delivered straight to your inbox.
About The 20 MSP
As a leading provider of managed IT services, The 20 MSP serves thousands of businesses nationwide, providing each one with white-glove service, secure and streamlined IT infrastructure, and 24/7/365 support. We believe in building lasting relationships with clients founded on trust, communication, and the delivery of high-value services for a fair and predictable price. Our clients’ success is our success, and we are committed to helping each and every organization we serve leverage technology to secure a competitive advantage and achieve new growth.
