Hackers exploit websites to give them excellent SEO before deploying malware
Reading Time: 1 Minute
Climbing up Google’s ranks is key to this new technique.
Cyberattackers have turned to search engine optimization (SEO) techniques to deploy malware payloads to as many victims as possible.
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
While it isn’t known if a particular exploit is used to compromise these domains in the first place, the researchers say that CMSs running the backend of websites could have been hijacked via malware, stolen credentials, or brute-force attacks.
Once the threat actors have obtained access, a few lines of code are inserted into the body of website content. Checks are performed to ascertain whether the victim is of interest as a target — such as based on their IP and location — and queries originating from Google search are most commonly accepted.
Websites compromised by Gootloader are manipulated to answer specific search queries. Fake message boards are a constant theme in hacked websites observed by Sophos, in which “subtle” modifications are made to “rewrite how the contents of the website are presented to certain visitors.”
“If the right conditions are met (and there have been no previous visits to the website from the visitor’s IP address), the malicious code running server-side redraws the page to give the visitor the appearance that they have stumbled into a message board or blog comments area in which people are discussing precisely the same topic,” Sophos says.
If the attackers’ criteria aren’t met, the browser will display a seemingly-normal web page — that eventually dissolves into garbage text.
See Also: Offensive Security Tool: ScareCrow
A fake forum post will then be displayed containing an apparent answer to the query, as well as a direct download link. In one example discussed by the team, the website of a legitimate neonatal clinic was compromised to show fake answers to questions relating to real estate.
Victims who click on the direct download links will receive a .zip archive file, named in relation to the search term, that contains a .js file.
The .js file executes, runs in memory, and obfuscated code is then decrypted to call other payloads.
According to Sophos, the technique is being used to spread the Gootkit banking Trojan, Kronos, Cobalt Strike, and REvil ransomware, among other malware variants, in South Korea, Germany, France, and the United States.
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
See Also: Hacking Stories: Albert Gonzalez & the ‘Get Rich or Die Trying’ Crew who stole 130 million credit-card n
“At several points, it’s possible for end-users to avoid the infection, if they recognize the signs,” the researchers say. “The problem is that, even trained people can easily be fooled by the chain of social engineering tricks Gootloader’s creators use. Script blockers like NoScript for Firefox could help a cautious web surfer remain safe by preventing the initial replacement of the hacked web page to happen, but not everyone uses those tools.”
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
Source: www.zdnet.com
(Click Link)
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
