Home SecurityNetwork Security SEO poisoning campaign directs search engine visitors from multiple industries to JavaScript malware

SEO poisoning campaign directs search engine visitors from multiple industries to JavaScript malware

Source Link

Researchers have discovered a high-effort search engine optimization (SEO) poisoning campaign that seems to be targeting employees from multiple industries and government sectors when they search for specific terms that are relevant to their work. Clicking on the malicious search results, which are artificially pushed higher in ranking, lead visitors to a known JavaScript malware downloader.

“Our findings suggest the campaign may have foreign intelligence service influence through analysis of the blog post subjects,” researchers from security firm Deepwatch said in a new report. “The threat actors used blog post titles that an individual would search for whose organization may be of interest to a foreign intelligence service e.g., ‘Confidentiality Agreement for Interpreters.’ The Threat Intel Team discovered the threat actors highly likely created 192 blog posts on one site.”

How SEO poisoning works

Deepwatch came across the campaign while investigating an incident at a customer where one of the employees searched for “transition services agreement” on Google and ended up on a website that presented them with what appeared to be a forum thread where one of the users shared a link to a zip archive. The zip archive contained a file called “Accounting for transition services agreement” with a .js (JavaScript) extension that was a variant of Gootloader, a malware downloader known in the past to deliver a remote access Trojan called Gootkit but also various other malware payloads.

Transition services agreements (TSAs) are commonly used during mergers and acquisitions to facilitate the transition of a part of an organization following a sale. Since they are frequently used, many resources are likely available for them. The fact that the user saw and clicked on this link suggests it was displayed high in ranking.

When looking at the site hosting the malware delivery page, the researchers realized it was a sports streaming distribution site that based on its content was likely legitimate. However, hidden deep in its structure were over 190 blog posts on various topics that would be of interest for professionals working in different industry sectors. These blog posts can only be reached via Google search results.

“The suspicious blog posts cover topics ranging from government, and legal to real estate, medical, and education,” the researchers said. “Some blog posts cover topics related to specific legal and business questions or actions for US states such as California, Florida, and New Jersey. Other blog posts cover topics relevant to Australia, Canada, New Zealand, the United Kingdom, the United States, and other countries.”

Copyright © 2022 IDG Communications, Inc.

Related Articles

Leave a Comment