HomeTech PlusTECH & OTHER NEWSHackers exploit websites to give them excellent SEO before deploying malware

Hackers exploit websites to give them excellent SEO before deploying malware

Cyberattackers have turned to search engine optimization (SEO) techniques to deploy malware payloads to as many victims as possible. 

According to Sophos, the so-called search engine “deoptimization” method includes both SEO tricks and the abuse of human psychology to push websites that have been compromised up Google’s rankings. 

SEO optimization is used by webmasters to legitimately increase their website’s exposure on search engines such as Google or Bing. However, Sophos says that threat actors are now tampering with the content management systems (CMS) of websites to serve financial malware, exploit tools, and ransomware. 

In a blog post on Monday, the cybersecurity team said the technique, dubbed “Gootloader,” involves deployment of the infection framework for the Gootkit Remote Access Trojan (RAT) which also delivers a variety of other malware payloads. 

The use of SEO as a technique to deploy Gootkit RAT is not a small operation. The researchers estimate that a network of servers — 400, if not more — must be maintained at any given time for success. 

While it isn’t known if a particular exploit is used to compromise these domains in the first place, the researchers say that CMSs running the backend of websites could have been hijacked via malware, stolen credentials, or brute-force attacks. 

Once the threat actors have obtained access, a few lines of code are inserted into the body of website content. Checks are performed to ascertain whether the victim is of interest as a target — such as based on their IP and location — and queries originating from Google search are most commonly accepted. 

Websites compromised by Gootloader are manipulated to answer specific search queries. Fake message boards are a constant theme in hacked websites observed by Sophos, in which “subtle” modifications are made to “rewrite how the contents of the website are presented to certain visitors.”

“If the right conditions are met (and there have been no previous visits to the website from the visitor’s IP address), the malicious code running server-side redraws the page to give the visitor the appearance that they have stumbled into a message board or blog comments area in which people are discussing precisely the same topic,” Sophos says.

If the attackers’ criteria aren’t met, the browser will display a seemingly-normal web page — that eventually dissolves into garbage text. 

A fake forum post will then be displayed containing an apparent ‘answer’ to the query, as well as a direct download link. In one example discussed by the team, the website of a legitimate neonatal clinic was compromised to show ‘answers’ to questions relating to real estate. 

screenshot-2021-02-26-at-17-36-36.png

Victims who click on the direct download links will receive a .zip archive file, named in relation to the search term, that contains a .js file. 

The .js file executes, runs in memory, and obfuscated code is then decrypted to call other payloads. 

According to Sophos, the technique is being used to spread the Gootkit banking Trojan, Kronos, Cobalt Strike, and REvil ransomware, among other malware variants, in South Korea, Germany, France, and the United States. 

“At several points, it’s possible for end-users to avoid the infection, if they recognize the signs,” the researchers say. “The problem is that, even trained people can easily be fooled by the chain of social engineering tricks Gootloader’s creators use. Script blockers like NoScript for Firefox could help a cautious web surfer remain safe by preventing the initial replacement of the hacked web page to happen, but not everyone uses those tools.”

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


By ZDNet Source Link

Technology For You
Technology For Youhttps://www.technologyforyou.org
Technology For You - One of the Leading Online TECHNOLOGY NEWS Media providing the Latest & Real-time news on Technology, Cyber Security, Smartphones/Gadgets, Apps, Startups, Careers, Tech Skills, Web Updates, Tech Industry News, Product Reviews and TechKnowledge...etc. Technology For You has always brought technology to the doorstep of the Industry through its exclusive content, updates, and expertise from industry leaders through its Online Tech News Website. Technology For You Provides Advertisers with a strong Digital Platform to reach lakhs of people in India as well as abroad.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

spot_img

CYBER SECURITY NEWS

TECH NEWS

TOP NEWS