SEO wizardry abused to push malware into Google search rankings
Sodinokibi ransomware group flexes its SEO muscles
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Cybercriminals are deployingsearch engine optimization(SEO) tricks to push malicious domains up the Google search rankings, security researchers have discovered.
According to a report from the security team at AT&T, in addition to distributingmalwarevia email campaigns, the operators behind the infamous Sodinokiniransomwareare targeting keyphrases commonly punched intoGoogle.
In the scenario analyzed in the report, a client ended up downloading a rigged JavaScript file from a malicious domain. The website had appeared on the first page of Google, in eighth position, for the search term “Missouri and Kansastaxreciprocity”.
“There’s a saying that nothing can be certain, except death and taxes; in today’s cyber threat landscape, we can add ransomware to that shortlist,” wrote Ken Ng, a researcher at AT&T. “In this incident, one of [our] customers almost had an incident at the crossroads of taxesandransomware.”
SEO for cybercriminals
Although the attack was mitigated automatically by the security protections in place, AT&T believed the incident warranted further investigation, as it was not immediately clear how the individual had ended up with the infection.
“Once we had an idea of what the JavaScript led to, we could attempt to find how the user potentially got the file,” AT&T explained. “Leveraging the information from the file name, plus some context with the onePDFthe user was able to get from a legitimate site, we were able to emulate the user’s actions.”
When researchers eventually tracked down the offending domain, they found it stood out because it used HTTP, not HTTPS (a more secure protocol), and because the URL itself had nothing to do with the headline of the page, which had been crafted with SEO in mind.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The page itself was reportedly “extremely suspicious and sparse”, containing a link to download the answer to the original search query: “does Missouri have a reciprocal agreement with Kansas?”.
The specificity of this level of targeting is alarming (after all, a comparatively small number of people are likely to be making this particular query) and begs the question: how many other key terms are Sodinokibi and other cybercriminals targeting?
To shield against attacks of this kind, users are advised to ensure their devices are protected by a leadingantivirusservice, to steer clear of websites not protected by HTTPS and to avoid downloading content from unfamiliar sources.
Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He’s responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)
