7.9 C
New York
Wednesday, February 8, 2023

Buy now

SEO poisoning attacks are on the rise in 2023

A new investigative report from SentinelOne reveals an SEO poisoning attack campaign hijacking brand names in paid search advertising.

A user discovers malware delivered via poisoned SEO.
Image: SizeSquare’s/Adobe Stock

SentinelOne has reported an increase in malicious search engine ads in recent weeks. The researchers explain that attackers using search engine optimization poisoning are generally more successful “when they SEO poison the results of popular downloads associated with organizations that lack extensive internal brand protection resources.”

Jump to:

What is an SEO poisoning attack?

SEO poisoning attacks consist of modifying search engine results so that the first advertised links actually lead to attacker-controlled sites, usually to infect visitors with malware or attract more people to ad fraud. SentinelOne gave an example of a recent SEO poisoning campaign in their report.

SEE: Mobile device security policies (Tech Republic Premium)

The Blender 3D SEO poisoning campaign

A routine search on Google’s search engine for the brand name Blender 3Dan open-source 3D graphic design software, yielded the following results on January 18, 2023 (Image A):

Image A

The Google search engine results show three fraudulent ads when searching for Blender 3D.
Image: SentinelOne. The Google search engine results show three fraudulent ads when searching for Blender 3D.

A user who misreads the URL or is unsure of the exact URL of the software could click on one of these attacker-controlled domains, which could lead to an attack.

The malicious blender-s.org top result is an almost exact copy of Blender’s legitimate website, but the download link does not lead to a download on blender.org but to a DropBox URL that provides a blender.zip file.

The second malicious website at blenders.org is similar: it shows an almost perfect copy of the legitimate Blender website, but the download link leads to a different DropBox URL, which also provides a blender.zip file.

The third and final malicious website is also a copy of the legitimate website, but provides a Discord URL and delivers a file called blender-3.4.1-windows-x64.zip.

The payloads of SEO poisoning

The zip files downloaded from Dropbox contain executable files. The first raises immediate suspicion because it contains an invalid certificate from AVG Technologies USA, LLC (Figure B) which has already been observed to be used by other malware, including the infamous Racoon Stealer.

Figure B

Invalid certificate used by the malicious executable.
Invalid certificate used by the malicious executable.

It is also worth noting that the zip file has a size less than 2 MB, but the executable file extracted from it is almost 500 MB. This is probably an attempt to bypass some security solutions that fail to analyze such large files.

According to VirusTotalis the malware possibly the Vidar malware (Figure C), an information thief with the ability to steal financial information, passwords, and browsing history from browsers, password managers, and cryptocurrency wallets.

Figure C

Zip file contains Vidar malware with identified C2 server.
Image: VirusTotal. Zip file contains Vidar malware with identified C2 server.

The second zip file, unknown to VirusTotal, may be similar, as the zip file is the same size and was created five minutes after the first. The final file, downloaded from Discord, contains an ISO file that is also likely malicious.

Widening the attack surface

According to SentinelOne researchers, the threat actor behind the first two malicious websites is also responsible for dozens of other similar websites, always masquerading as popular software like Photoshop or remote access software.

All those websites were quickly blocked by CloudFlare, whose services were used by the cybercriminals. Any user attempting to connect to the fraudulent websites will now see a CloudFlare warning page stating their phishy nature.

How to mitigate this threat and protect your company’s reputation

As mentioned earlier, SEO poisoning attackers usually choose to impersonate popular products or brands to carry out their malicious operations. This has a huge impact on users, as they may be compromised by malware, which can lead to stolen data. Yet it also has a huge impact on businesses, as the average user often doesn’t understand this type of fraud and ends up thinking that the real brand is responsible.

Companies with highly popular products or brands should be careful with their brands and use security solutions to detect such fraud before it is too late.

For starters, organizations should carefully review any new domain registered on the Internet that bears similarities to one of their brands or names. Since fraudsters often register domain names that are very similar to the legitimate ones, in most cases it is possible to track them down within 48 hours, analyze the situation immediately and take action to reduce the risk.

Companies can work on the legal side to have the fraudulent domains transferred to them if they can justify a trademark infringement, but that could take some time. In the meantime, should fraudulent content appear on the fraudulent domain, they may want to shut it down by contacting the hosting company, registrar, or DNS provider to make the fraud unavailable.

Finally, companies can preemptively register different variants of their legitimate domain names, preventing fraudsters from doing so. However, this method costs energy and money, and not every company may want to go down this path.

Revelation: I work for Trend Micro, but the opinions expressed in this article are my own.

Source link

Related Articles


Please enter your comment!
Please enter your name here

Stay Connected


Latest Articles