Cloaking, parasite SEO, and rehydrated domains
Coverage areas
Domains, social, app stores (scoped to your program)
Delivery
Platform workflows + optional managed services
Outputs
Prioritized queues, evidence, takedown tracking
Coverage
Threat patterns programs typically monitor
Programs are tuned to your marks and channels; the list below reflects common categories teams prioritize.
Branded SERP poisoning campaigns
High-intent branded queries (support, login, payment) where attackers outrank you with deceptive results.
Cloaked redirects (bot vs browser)
Pages that show Googlebot a legitimate article and the real visitor a phishing portal or scam checkout.
Parasite SEO on hijacked subdomains
Abandoned subdomains of trusted parent domains rehosting fraud content and inheriting the parent's ranking authority.
Competitor and impostor keyword bidding
Paid-search abuse of brand terms — distinguishing legal competitor bidding from clear scam-ad fraud.
AI-generated lookalike support pages
AI-spun FAQs and 'official help' articles that target long-tail queries to outrank slow-moving real pages.
Ad-chain and landing-page swaps
Ad-tech chains, cloaking servers, and post-click landing rotations that let scam campaigns survive policy reviews.
Four poisoning patterns, four detection signals
SEO poisoning is not one technique. Each pattern below leaves a different fingerprint, and a defense that only watches one will miss the others.
Cloaking and conditional redirects
The page Googlebot sees is a legitimate-looking article; the page a real visitor sees is a phishing portal, a scam checkout, or a malware drop. Detection requires user-agent-aware crawling, comparing rendered DOMs between bot and browser fetches, and flagging redirect chains that diverge based on referrer or geo.
Parasite SEO on hijacked subdomains
Attackers find abandoned subdomains of high-trust sites — universities, news outlets, expired vendor pages — and stand up scam content that inherits the parent domain's ranking authority. Detection means monitoring branded queries for results on third-party domains where your brand has no business appearing, then validating the page is hosted on a subdomain the parent organization no longer controls.
Expired-domain rehydration
Recently-expired brand-adjacent domains (support[brand].com, [brand]-status.net) get re-registered and re-skinned as fake support, status pages, or migration helpers. They keep the SEO equity the original site built up, but redirect to credential harvesters or wallet drains. Detection means watching expiry windows on adjacent domains and flagging new content on returning hostnames.
AI-generated lookalike content
AI-spun support FAQs, troubleshooting guides, and 'official help' articles outrank slow-moving real pages because they target long-tail queries at scale. The text is generated, the screenshots are stock, the contact form is a credential harvester. Detection blends content-fingerprint comparison against your real support pages with classifier-based AI-text scoring on the highest-ranking competing results.
Who this is for
Security, fraud, and brand teams protecting customers who rely on search to find legitimate support, login, and purchase paths. Also useful for legal and communications stakeholders who need defensible evidence and clear closure reporting.
Protect revenue and customer trust
See how PhishEye centralizes detections, evidence, and takedowns so security, fraud, and brand teams share one operational picture.
FAQs
Common questions
What is SEO poisoning in practical terms?
How is this different from normal phishing monitoring?
What evidence helps get abusive search pages removed?
Explore further
Related pages
Ready to scope a program for your marks and channels?