SoS Musings #70 - The Rise in SEO Poisoning
SoS Musings #70 -
The Rise in SEO Poisoning
There has been a rise in the prevalence of malicious search engine advertisements in the wild, a method known as Search Engine Optimization (SEO) poisoning, which is a type of malvertising (malicious advertising). Malware infections are rarely the result of just clicking on a malicious file, but rather the culmination of a carefully orchestrated series of steps designed to trick the user into opening the file. That is the method underlying SEO poisoning, wherein seemingly harmless queries can lead unsuspecting users to sites with malware. The infection chain involves malicious actors creating fake content that rides the coattails of a legitimate website's credibility. An increase in malicious search engine advertisements was reported by SentinelOne, and the company pointed out that attackers using SEO are usually more successful when they poison the results of popular downloads associated with organizations that do not have extensive internal brand protection resources. SEO poisoning attacks involve modifying search engine results so that the first advertised links redirect to attacker-controlled sites. This is typically done to infect visitors with malware or to attract more victims to ad fraud. Researchers have uncovered many examples of SEO poisoning attacks.
SolarMarker malware operators used PDF documents containing multiple SEO keywords to boost their visibility in search engines and direct potential victims to the malware hosted on a malicious site masquerading as Google Drive. According to Microsoft, SolarMarker is a backdoor malware designed to collect browser data and credentials. In the case of SolarMarker, attackers have used thousands of PDFs containing keywords and links to drive unwary users across numerous websites to one that downloads the malware. The PDF documents used in the attack are stuffed with more than 10 pages of keywords relevant to a wide variety of topics, such as insurance applications, math answers, and more. This is done to increase their search engine rankings. CrowdStrike drew attention to SolarMarker for employing the same SEO poisoning technique. North American users were a primary target of the malware. The SolarMarker malware operators hosted malicious lure pages on Google Sites. The sites pushed document downloads and placed highly in search engine results. In addition to Google Sites, the attackers used Amazon Web Services (AWS) and Strikingly's service. Microsoft 365 Defender data indicated that the SEO poisoning method was successful, as the Microsoft Defender Antivirus recognized but stopped thousands of these PDFs in many environments.
A campaign analyzed by researchers at Mandiant employed SEO poisoning and a variety of legitimate tools for avoiding detection in order to infect targets with malware, steal credentials, and more. According to Mandiant, the BATLOADER malware that was downloaded during the earliest stages of a multi-stage attack chain provided attackers with a foothold within target organizations. From there, the attackers used both legitimate and malicious tools for remote access, privilege escalation, persistence, and credential theft. This malware campaign's original attack vector was SEO poisoning. Since SEO poisoning casts a wide net over search engine traffic, this strategy is rarely used in highly targeted attacks, and Mandiant researchers found that the victims in this campaign appeared to work in different industries. In order to entice victims to their websites, the attackers used "free productivity apps installation" or "free software development tools installation" themes as SEO keywords. If a target visited the website and downloaded what appeared to be a productivity app or software development tool, such as Zoom, TeamViewer, and Visual Studio, they were actually downloading an installer containing legitimate software bundled with the BATLOADER malware, which was dropped and executed during software installation.
Malicious actors hacked thousands of websites for a Google SEO poisoning campaign. The malicious campaign compromised over 15,000 websites to redirect visitors to fake Q&A discussion forums. The security firm Sucuri discovered the attacks, noting that each hacked site held about 20,000 files used in the SEO poisoning campaign, with most of the sites being WordPress. According to the researchers, the threat actors' goal was to generate enough indexed pages to improve the search engine rankings of the fake Q&A sites and increase their authority. The campaign likely prepared these sites for future use as malware droppers or phishing sites, as even a brief operation on the top page of Google Search would result in a large number of infections. Based on the presence of an 'ads.txt' file on the landing pages, their owners could have also wanted to increase traffic in order to carry out ad fraud. Sucuri reported that the hackers modified WordPress PHP files, such as 'wp-singup.php,' 'wp-cron.php,' 'wp-settings.php,' 'wp-mail.php,' and others, in order to inject the redirects to the fake portals. Sometimes, the attackers dropped their own PHP files on the targeted website, using random or pseudo-legitimate file names such as 'wp-logln.php'. The infected or injected files contained malicious code that checked whether website users were logged in to WordPress and redirected them to a PNG image URL if they were not. Browsers would not be sent an image from this URL, but instead would have JavaScript loaded, which sends users to a Google search click URL, transferring users to the fraudulent Q&A site. Using a Google search click URL is likely to enhance performance metrics on URLs in the Google Index, giving the impression that the sites are popular in an effort to improve their position in the search engine results. In addition, redirecting through Google search click URLs makes the traffic appear more authentic, thus enabling the circumvention of security software.
According to the Cybereason Incident Response team, an "aggressive threat actor" has been targeting the finance and healthcare industries with Gootloader malware and SEO poisoning techniques. The threat actor has exhibited quick-moving behaviors, rapidly gaining control of the infected network and gaining elevated privileges in less than four hours, according to researchers. Cybereason analyzed a successful incident involving new deployments of Gootloader in December 2022, which revealed the use of multiple tactics, including SEO poisoning techniques, to trick victims into downloading dangerous payloads. The analysis found multiple layers of obfuscation and the presence of multiple JavaScript loops that lengthen the execution, likely as an anti-sandbox strategy. Gootloader is described as highly evasive, disguising itself with legitimate JavaScript code to avoid detection by traditional security solutions. Researchers suggested that the actors built websites or populated web forums and similar websites with specific keywords and links leading to a website containing the infected file. The threat actors behind the Gootloader campaign employed SEO poisoning techniques to place their infected pages at the top of web browser search results. The Gootloader infection path begins with a compromised WordPress site, the authenticity of which is bolstered via SEO poisoning techniques, with keywords likely placed in the HTML code of valid pages.
Researchers at Deepwatch also discovered an SEO poisoning campaign targeting individuals working in different industries and government sectors when they search for work-related terms. Findings from their analysis of blog post topics suggest that the campaign could be influenced by a foreign intelligence agency. The threat actors used blog post titles such as "Confidentiality Agreement for Interpreters," that person whose organization may be of interest to a foreign intelligence service would seek. They noticed that the threat actors likely created over 190 blog articles on a single website. Deepwatch discovered the campaign while investigating an incident faced by a customer in which one employee searched Google for "transition services agreement" and landed on a website appearing to be a forum thread where one of the users provided a link to a ZIP archive. The archive contained a file named "Accounting for transition services agreement" with a JavaScript extension that was a Gootloader variant. During mergers and acquisitions, transition services agreements are typically used to help the transition of a part of an organization after a sale. The user spotting and clicking on this link means that it was prominently displayed. When examining the site hosting the malware delivery page, the researchers discovered it was a sports streaming distribution site that appeared authentic based on its content. Yet, buried deep within its structure were 192 blog articles on different topics that would be of interest to professionals in various industry sectors. These blog entries are only accessible through Google search results. The topics of the questionable blog articles ranged from government and law to real estate, medicine, and education. Some blog entries covered specific legal and business questions or concepts for US states, including California, Florida, and New Jersey. Other blog entries discussed subjects related to Australia, Canada, New Zealand, the UK, the US, and other nations.
SEO poisoning has become effective in today's crimeware malware distribution strategies. Attackers are having a great deal of success with these attack approaches, and it is anticipated that they will evolve to increasingly mask such malicious efforts. Therefore, it is essential for organizations with popular products or brands to be cautious about their brands and implement security solutions to detect fraud, and for the Science Of Security (SoS) community to continue exploring potential new solutions for combating SEO attacks. Users are also urged to take caution and thoroughly review search results prior to clicking links to ensure that the visited websites are legitimate. They should also avoid downloading apps and supplying sensitive information on unofficial websites.