Cybercriminals use search engine optimization (SEO (opens in new tab)) A security researcher has discovered a trick that boosts malicious domains to Google search rankings.
According to a report from AT&T’s security team, in addition to distribution, malware (opens in new tab) Operators behind the infamous Sodinokini via email campaign ransomware (opens in new tab) It targets keyphrases that are commonly typed into Google.
The scenario analyzed in the report resulted in the client downloading a malicious JavaScript file from a malicious domain. The website appeared as his eighth on the first page of Google for the search term “Missouri and Kansas.” tax (opens in new tab) reciprocity”.
“There’s a saying that nothing is certain, except death and taxes. In today’s cyberthreat landscape, ransomware can be on the shortlist,” writes AT&T researcher Ken Ng. . “In this case, [our] The customer almost had an affair at the tax crossroads When Ransomware. “
SEO for cybercriminals
Although the attack was automatically mitigated with appropriate security protections, AT&T said the incident warrants further investigation as it was not immediately clear how the individual became infected. I thought.
“By knowing what the JavaScript caused, we can determine how the user may have obtained the file,” AT&T explained. “Leverage the context of the filename in addition to the information from the filename PDF (opens in new tab) The user was able to access it from the legitimate site, so we were able to emulate the user’s actions. “
Researchers eventually tracked down the domain in question and found that it used HTTP instead of HTTPS (a more secure protocol), and that the URL itself had nothing to do with the SEO-created page headline. So I found it to stand out. Keep in mind.
The page itself was “highly questionable and sparse” and contained links to download answers to the original search query “Does Missouri have a reciprocal agreement with Kansas?” .
This level of targeting specificity is alarming (after all, relatively few people are likely to run this particular query) and raises the question: Sodinokibi and other cybercriminals targeting other key terms?
To prevent this type of attack, users are advised to ensure their devices are protected by key protections. Antivirus (opens in new tab) Avoid websites that aren’t secured with HTTPS and don’t download content from unfamiliar sources.