Group Uses SEO to Poison Google Search Results With Links to Banking Trojan

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
When you think you've seen it all, malware authors always find a way to impress you. Today's "that's clever!" moment comes courtesy of a criminal group that's been spreading a new version of the Zeus Panda banking trojan since June, this year.

Instead of relying on old techniques of malvertising and spam campaigns, this group has taken a novel approach, never before seen in the distribution of banking trojans.

Black-hat SEO, for the win!
This Zeus Panda group decided to rely on a network of hacked websites, on which they inserted carefully chosen keywords in new pages or hid the keywords inside existing pages.

The group leveraged the favorable Google SERP (Search Engine Results Pages) ranking of the hacked sites to position these malicious pages at the top of Google search results for specific queries related to online banking and personal finances.

For example, a person searching for "al rajhi bank working hours in ramadan" would see a malicious link ranked at the top of Google search results.

Users clicking on these links would arrive on the hacked site, from where malicious JavaScript code would execute in the background and redirected the user through a series of sites until he reached one offering a Word document for download.
Click to expand...

Malware group combines SEO spam and malvertising
This tangled chain of URL redirections is specific to malvertising campaigns that jolt users from sites running tainted ads to exploit kits, tech support scams, or fake software updaters.

The Zeus Panda group basically combined SEO spam botnets (made up of hacked sites hiding secret keywords that boost the SEO reputation of other sites) with a classic malvertising-to-exploit-kit redirection chain.

The Word document users got would be identical to the one someone would get if they received it via a spam email. The only difference would be how they got it, but not what was inside.
Click to expand...
 
  • Like
Reactions: shmu26, Venustus, aragornnnn and 7 others
vemn

vemn

Level 6
Verified
Malware Hunter
Well-known
Feb 11, 2017
264
Hackers Poison Google Search Results to Deliver Zeus Panda

Kinda scary when they are able to manipulate the search results or probably influencing the big data model or machine learning behind the scene...
Guessed it's back to Security 101 though, make sure we know what we are surfing for.. especially bank sites.
And, get some form of browser/internet security. lol..
 
  • Like
Reactions: XhenEd, Venustus, Prorootect and 1 other person
Prorootect

Prorootect

Level 69
Verified
Nov 5, 2011
5,855
"The group leveraged the favorable Google SERP (Search Engine Results Pages) ranking of the hacked sites to position these malicious pages at the top of Google search results .."
- nothing new, sadly.

vemn wrote: "get some form of browser/internet security." - sure, you have many security propositions in 'Browser and Extensions' MT section ..

Long ago I said that one should not believe in any Zeus, but in a true God.
 
Last edited:
  • Like
Reactions: XhenEd and Venustus
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
Hackers Using MSIX App Packages to Infect Windows PCs with GHOSTPULSE Malware
Replies
0
Views
585
News Archive
silversurfer
silversurfer
Bot
Malware News Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites
Replies
0
Views
478
Security News
Bot
Bot
silversurfer
    • Like
    • +Reputation
Gootkit malware abuses VLC to infect healthcare orgs with Cobalt Strike
Replies
0
Views
580
News Archive
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top