When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
ShadowSpear® is an unparalleled resource that defends your organizations against advanced cyber threats and attacks 24/7/365.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
Researchers discovered two campaigns connected to either the REvil ransomware group or the SolarMarker backdoor using SEO poisoning to deliver payloads to targets. SEO poisoning, or “search poisoning”, is an attack technique involving optimized websites using “black hat” SEO practices to boost their ranking on Google searches. Victims would visit high-ranking websites believed to be legitimate and threat actors would enjoy a huge flow of visitors looking for specific keywords.
The Menlo Security team discovered an increase in SEO poisoning used by malware distributors on operations including the Gootloader and SolarMarket campaigns. Threat actors would inject over 2,000 unique keyword searches on websites including “sports mental toughness,” “industrial hygiene walk-through,” “five levels of professional development evaluation,” and more. The optimized websites would appear in search results as PDFs prompting visitors to download the document. When visitors click on the download button, they are redirected to various websites that inject a malicious payload. By using these redirects, threat actors avoid having their websites removed from the search results for hosting malicious content. Threat actors would implement REvil through Gootloader or the SolarMarker backdoor in these kinds of campaigns.
The researchers discovered from the two campaigns that actors were hacking legitimate websites with high-ranking Google searches instead of developing their own malicious sites. Hackers would exploit websites through an undisclosed flaw in the “Formidable Forms” WordPress plugins to upload laced PDF into the ‘/wp-content/uploads/formidable/’ folder. It’s recommended that those using this plugin update to version 5.0.10 or later, despite the most recent version, 5.0.07, being spotted in the compromised set. Websites in the business category are heavily targeted by attackers because sites usually host PDFs as guides or reports.
In 2012, threat actors launched the first modern encrypting ransomware, spreading their attacks widely hoping to infect as many people as possible. With ransomware groups targeting high-profile companies and demanding multi-million-dollar payments, the spray and pray method is not commonly used because infected consumers are likely not willing to pay large ransoms. According to BleepingComputer, one REvil affiliate implements widespread attacks infecting consumers and small companies while demanding between $1,500 and $7,500 instead of millions of dollars in ransom. It has not been determined if this REvil affiliate uses the SEO poisoning technique; however, this attack would fit their model of indiscriminately targeting any kind of victim.
With threat actors and ransomware groups continuously developing and perfecting new techniques and tactics, it’s crucial for companies to stay current with the latest threat landscape and remain alert when Google searches to make sure if the websites are legit or malicious. At SpearTip, we offer pre-breach and advisory services to help companies prepare for potential malicious threats, like SEO poisoning, and improve their network security vulnerabilities. With our Security Operations Centers (SOC) operating 24/7/365, our certified engineers continuously monitor your global networks. Working in tandem with our SOC as a Service, the ShadowSpear platform, our endpoint detection and response tool, reveals potential ransomware threats like REvil or SolarMarker and prevents network infiltration.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
Website owners can protect their visitors from SEO poisoning attacks by regularly updating and patching their content management systems (CMS), plugins, and themes to ensure they have the latest security patches. They should also implement strong access controls and user authentication measures, regularly monitor their website traffic and logs for suspicious activity, and use web application firewalls (WAF) to filter out malicious traffic.
Websites with a high volume of web traffic or those that deal with sensitive information (such as e-commerce sites, financial institutions, or government websites) may be more attractive targets for cybercriminals.
SEO poisoning attacks can be sophisticated and may involve the use of legitimate-looking URLs and compromised websites, making them harder to detect using traditional antivirus software alone. Therefore, it is important for website owners to adopt a multi-layered security approach that includes regular vulnerability assessments, web application firewalls, and continuous monitoring for suspicious activity.
24/7 Breach Response: US/CAN: 833.997.7327
Main Office: 800.236.6550
1714 Deer Tracks Trail, Suite 150
St. Louis, MO 63131
©2024 SpearTip, LLC. All rights reserved.