The most common way to get malware onto users’ devices is through phishing attacks. In these attacks, an email that appears to be from a reputable company tricks users into opening an infected attachment or clicking on a link to an infected website.
But now, cybersecurity teams are seeing an increase in malware delivered via a different route: poisoned SEO searches.
With SEO poisoning, the attacker doesn’t have to worry about crafting compelling messages that call for quick action or replicating company graphics or sending a large number of emails to potential victims. Instead, for a new variant of the GootLoader malware, attackers plant their poison and wait for victims to bite.
What is SEO poisoned search?
Every business that has a web presence, which is almost every major business today, wants to drive potential customers to their website. Search engine optimization (SEO) is a set of techniques designed to help businesses increase the likelihood that their website will appear near the top of the results page when a user searches for relevant terms. SEO is big business as a high ranking can greatly increase the number of potential customers visiting a particular site, rather than the many similar sites that appear further down the results page, or even worse, 3rd, 4th or 5th results page.
Threat actors long ago realized that if they can get their malware-infected websites to rank highly for specific search terms, victims will come.
Of course, cybercriminals generally don’t achieve high SEO rankings by following legitimate techniques, such as having up-to-date and relevant content that readers find useful. They resort to “black hat” SEO techniques, techniques designed to trick Google and other search engines into finding your site more relevant than it actually is. Black hat tactics violate search engine guidelines, and if, when, search engine operators discover that a site has been using black hat techniques, it will be penalized.
Black Hat SEO includes techniques such as:
Automated content. Search engines reward new content, so some scammers just have AI bots create new content with relevant keywords, regardless of whether it’s good.
Rotated article. Instead of creating useful content of their own, they will take someone else’s article and change enough words to avoid being penalized for plagiarism.
Keyword stuffing. Enter as many relevant keywords as possible in hopes of ranking well.
Manipulation of links. There are many disreputable schemes to get links to a site, such as link farms or paying for links, which can make it appear that other sites find your content useful and that the site is reputable.
Users are shown content which is different from what is shown to the search engine, in order to make a site rank higher for search terms that have nothing to do with the actual content.
GootLoader and poisoned SEO
IBM X-Force researchers recently uncovered a new variant of the GootLoader malware, called “GootBot”, which facilitates lateral movement to a victim’s servers to enable delivery of malware during the final stages of an attack chain. GootBot makes it difficult to detect and block next-stage malware downloads provided by GootLoader.
GootLoader has been around since at least 2020. The US government’s Cybersecurity and Infrastructure Agency (CISA) listed it as one of superior malware strains of 2021. Initially, GootLoader served as the first stage of a system compromise, but with GootBot, it has evolved.
In this latest approach, the GootLoader group uses poison SEO to promote results for sample documents that business users frequently search for, such as contracts, legal forms, and other business documents. When users click on the poisoned search link, they are directed to a compromised site that contains files infected by GootBot. Along with the document files, which they believe are clean business forms, users download a malicious initial payload, an obfuscated JavaScript file that spreads GootBot implants throughout the corporate environment. Each GootBot implant contains a unique C2 server, with each running from a hacked WordPress site.
Several law firms have been hit with REvil ransomware attacks that started with poisoned SEO. In many cases, compromised sites delivering GootBot-infected business forms were the source, downloaded from compromised sites with black hat-enhanced SEO rankings.
Protection against GootLoader and other poisoned SEO attacks
Attacks through poisoned SEO are often undetected by users, as few people are even aware of the risk. By now, most people know that fishing is dangerous, although many still succumb. But with poisoned SEO, no unsolicited, high-pressure email. Victims of SEO poisoning simply click on a search result, something most of us do dozens of times a day, without a second thought. Anti-phishing training won’t help.
The best way to protect yourself from this type of attack is with Zero Trust Remote browser isolation (RBI) which includes content disarmament and reconstruction (CDR).
RBI isolates users from websites and any malware they may contain. Website content is rendered by virtual browsers that are isolated in the cloud, browsers “isolated” on the user’s device from the active web content. Any malware launched by a user’s click runs harmlessly in the isolated container, as only clean render data is transmitted to the user’s device. In the poisoned SEO case described above, when a user tries to download a document file, Ericom Web Isolation applies cloud CDR to sanitize the file and remove any risky elements, such as the GootLoader malware, before the file is downloaded to the user. device
The same “airgap” technology can be used in reverse to protect websites and applications and prevent them from being hijacked as hosts of third-party malware. Isolation of web applications (WAI) isolates your applications from transfers of potentially malicious content from users and protects application surfaces from threat actors looking for vulnerabilities to exploit. It also applies granular controls to protect data and sensitive content from being edited, downloaded and/or exposed in any way.
conclusion
Poisoned SEO is a particularly insidious malware delivery mechanism because users are lulled into a false sense of security by the link appearing at the top of a legitimate search engine page, as well as by fact that they decide to click.
A web access solution based on Zero Trust com RBI it’s the only way to effectively protect against infected websites and weaponized downloads. contact with us to learn how to protect your digital assets with the latest in isolation-based cybersecurity.
the mail SEO poisoning leads users to attackers’ doorsteps appeared first Ericom software.
*** This is a syndicated blog of the Security Bloggers Network of Ericom software written by Leo Versola. Read the original post at:
[ad_2]
Source link
