Manipulation of search engines
SEO poisoning is a black hat technique for abusing and tricking search engine algorithms to affect how they index and rank sites. Search engines use various factors such as keywords, backlinks and more to determine the relevance and order of websites displayed based on user queries.
Cybercriminals use this technique to trick unsuspecting Internet users into compromised websites, where their systems can be infected with malware. These threat actors often target specific industries or individuals by using keywords that align with victims’ daily activities. The chosen keywords are carefully selected to match the attackers’ decoys and often correspond to the name of the malware payload. Unlike other phishing attacks that tailor their content to each victim, SEO poisoning campaigns typically use static content.
Common tactics used in SEO poisoning campaigns involve luring victims with fake document templates or office software. Payloads are often disguised with fake icons, creating the illusion of a harmless PDF file while running malware upon opening. However, in some cases, threat actors package the payload with a legitimate version of the software that the user intended to download.
Below are several major SEO poisoning campaigns that highlight common tactics, techniques, and procedures (TTPs) associated with this type of cyberattack:
Gootloader
Gootloader is an SEO poisoning campaign that leverages a number of SEO poisoned sites to infect victims. When an unsuspecting Internet user visits the website, the embedded code forwards the visitor’s IP address, referral string, unique server identifier, and user agent to the attacker’s domain and, then determines whether a bait should be filled. If the visitor has searched for a specific term and is within a targeted geographic region, or is using a certain operating system, the site creates a visible overlay instead of redirecting the victim.
Gootloader runs an array of over 400 servers that monitor compromised WordPress sites. Many search queries are directed to medical and healthcare organizations. Gootloader infections have led to executions of Cobalt Strike, the Kronos Trojan, as well as the REvil ransomware.
BATloader
BATloader is malware often associated with SEO poisoning campaigns, where threat actors lure victims to sites with Trojan productivity or office tools. After a victim visits a search result, BATLoader’s traffic steering system determines whether to redirect to a fake message board with a download link.
A 2021 leak revealed that BATLoader’s TTPs overlap with those of the new Conti ransomware gang.
sun dial
Solarmarker’s SEO poisoning campaign uses a wide range of keywords targeting the remote workforce. Similar to Gootloader, Solarmarker uses an arsenal of compromised WordPress sites. Each of these sites runs a connect which generates a directory into which attackers upload a malicious payload. In many cases, the Solarmarker lure asks users to download a fake PDF document.
The perpetual cycle of cybercrime
SEO poisoning will likely continue to increase in popularity, and while it provides threat actors with a reliable initial access vector, it does present long-term challenges. Even if done correctly, SEO is extremely demanding as rankings change every day. However, in the case of black hat SEO, it is even more volatile as most search engines de-rank sites for abusing the algorithm, thus creating a perpetual cycle of cyber attacks.
As their own sites are taken down by malicious behavior, threat actors look to steal new sites that have been recently created or have high authority scores to avoid wasting time creating one from scratch. Unfortunately, threat actors have two main ways to accomplish this.
Attacking Content Management Systems (CMS)
Threat actors will often target content management systems such as WordPress, with common vulnerabilities to gain control of multiple sites at once.
Exploitation of vulnerabilities in themes and plugins
Plugins and themes installed on CMS platforms often have vulnerabilities. Therefore, threat actors may attempt to exploit weak login credentials in CMS admin panels to gain access to vulnerable sites.
Once the threat actors gain access to the site, they can modify the site’s content or inject malicious code. Threat actors will then continue to use it to host future SEO poisoning campaigns until it is shut down or scaled down, prompting them to steal more.
How to protect yourself from SEO poisoning
To avoid falling for SEO poisoning schemes, organizations should create and implement application whitelists. In addition, user education must adapt to the changing threat landscape, and users must familiarize themselves with common baits used by malware campaigns. Because SEO poisoning domains change rapidly, Flashpoint recommends blocking active content in browsers to avoid redirecting or attracting overlays.
Additionally, many of the TTPs used by malware campaigns that use SEO poisoning remain similar to other malware campaigns after the initial infection. Flashpoint recommends implementing detection schemes around the execution of any JavaScript, VBS, .ISO, .MSI, or .IMG files from a .ZIP archive. Flashpoint also recommends removing the default file association of JavaScript and VBS files with the Windows scripting interpreter “wscript.exe” through Group Policy changes.
To further mitigate risks to CMS platforms, organizations should ensure that all themes and plugins are kept up-to-date with regular security audits and a robust vulnerability management program to ensure that their site not be abused by threat actors.
Protect yourself against digital threats with Flashpoint
Threat vectors are converging at breakneck speed, making it increasingly difficult to address risk. Sign up for a free trial to stay ahead of potential targeted threats.
[ad_2]
Source link
