Group Uses SEO to Poison Google Search Results With Links to Banking Trojan

[LASER_oneXM]

When you think you've seen it all, malware authors always find a way to impress you. Today's "that's clever!" moment comes courtesy of a criminal group that's been spreading a new version of the Zeus Panda banking trojan since June, this year.

Instead of relying on old techniques of malvertising and spam campaigns, this group has taken a novel approach, never before seen in the distribution of banking trojans.

Black-hat SEO, for the win!
This Zeus Panda group decided to rely on a network of hacked websites, on which they inserted carefully chosen keywords in new pages or hid the keywords inside existing pages.

The group leveraged the favorable Google SERP (Search Engine Results Pages) ranking of the hacked sites to position these malicious pages at the top of Google search results for specific queries related to online banking and personal finances.

For example, a person searching for "al rajhi bank working hours in ramadan" would see a malicious link ranked at the top of Google search results.

Users clicking on these links would arrive on the hacked site, from where malicious JavaScript code would execute in the background and redirected the user through a series of sites until he reached one offering a Word document for download.

Malware group combines SEO spam and malvertising
This tangled chain of URL redirections is specific to malvertising campaigns that jolt users from sites running tainted ads to exploit kits, tech support scams, or fake software updaters.

The Zeus Panda group basically combined SEO spam botnets (made up of hacked sites hiding secret keywords that boost the SEO reputation of other sites) with a classic malvertising-to-exploit-kit redirection chain.

The Word document users got would be identical to the one someone would get if they received it via a spam email. The only difference would be how they got it, but not what was inside.

 

[vemn]

Hackers Poison Google Search Results to Deliver Zeus Panda

Kinda scary when they are able to manipulate the search results or probably influencing the big data model or machine learning behind the scene...
Guessed it's back to Security 101 though, make sure we know what we are surfing for.. especially bank sites.
And, get some form of browser/internet security. lol..

 

[Prorootect]

"The group leveraged the favorable Google SERP (Search Engine Results Pages) ranking of the hacked sites to position these malicious pages at the top of Google search results .."
- nothing new, sadly.

vemn wrote: "get some form of browser/internet security." - sure, you have many security propositions in 'Browser and Extensions' MT section ..

Long ago I said that one should not believe in any Zeus, but in a true God.