Don’t Search Bengal Cats In Google: What Is SEO Poisoning and How Cybercriminals Use It to Hack Your System
November 19, 2024
While struggle to avoid cyberattacks like phishing, malware, and social engineering is a challenge for some, cybercriminals are even getting maliciously smarter by the passing moments, making it even harder to stay protected. Recently, a shocking incident came to light—though perhaps not entirely surprising.
How about I tell you that a harmless online search can get you hacked. Yes, this has actually happened.
According to report by Sophos, a leading cyber security firm, a seemingly harmless search for “are Bengal cats legal in Australia?” has created some whirlwind on the internet. It was revealed that cybercriminals are manipulating search engines through a technique known as “SEO Poisoning”.
Those who don’t know- SEO, or Search Engine Optimization, is the process of improving a website’s ranking in search engine results by optimizing it for relevant keywords. Although the process is more sophisticated and complex, let me explain to you as simple as I could. Let’s say, you have a website “X”, and you does SEO on queries/keywords like “Pizza Recipe”, then whenever user search this query, your website will be visible to them in the search results.
In this case, hackers’ implemented SEO techniques to push harmful websites whenever someone search for “are cats legal in Australia”.
Once a user click on any of these websites from the search results, the page lure them to download a malware file onto their device. The whole process is coined as SEO Poisoning, which we will talk about further in the BlogSpot. We will also discuss about GootLoader, which is the name of the malware involved in this attack.
What’s the Issue of Bengal Cats all About?
Well, it was all about innocent searches taking an unexpected turn. Innocent searches are those search who are looking for information, entertainment, or general browsing without any intention of engaging in illegal, harmful, or unethical behavior.
Here, hackers use SEO poisoning techniques to manipulate search engine rankings, in a way that when users searched “are Bengal cats legal in Australia”, they were shown malicious websites in the top results.
Then, when a user clicks on these fake links, they’re often taken to a website that looks legitimate but is designed to initiate malware downloads or lead to dangerous pages.
Once users visit the malicious site, they may be tricked into downloading files or clicking links that contain malware.
Now, coming to SEO Poisoning!
What is SEO Poisoning?
SEO poisoning is a malicious technique where instead of improving ranking of a legitimate website, cybercriminals use SEO techniques to push harmful websites for specific keywords.
This technique often works as people have immense trust in search engines. When they see a website in the top results, they have a natural tendency to consider it safe and legitimate. Cybercriminals often use innocent-sounding phrases as they doesn’t raise any immediate red flags.
GootLoader: The Malware
The key element behind the whole campaign is GootLoader, a Remote Access Trojan (RAT). RATs are malware that attackers use to remotely access and control a user system.
GootLoader can be quietly downloaded on a user’s computer. However, the most insidious part is, the user may not notice any changes right away. Meanwhile, the malware remain working in the background, gather and granting hackers the access of the user’s login credentials, personal information, and other sensitive data.
How Cybercriminals Use GootLoader in SEO Poisoning Attacks?
The Infection Process:
When a user visit an infected site, they are asked to download a file (usually a zip file). The file looks legitimate, and it is actually GootLoader malware they are downloading. The malware is usually hidden in the zip file comprised of JavaScript files. Once the user open these files, Gootloader starts to infect their system.
Stages of GootLoader Attack:
- Stage 1: First-Stage Payload: After a user clicks on the link, a .zip file is downloaded to their computer. Inside this file is a JavaScript file that initiates the malware’s execution
- Stage 2: Second-Stage Payload and Persistence: The malware then installs a larger JavaScript file that creates a “scheduled task” on the victim’s computer. This task runs at startup, allowing the malware to maintain persistence on the system and remain undetected for long periods. During this stage, GootLoader can also start collecting data and prepare the system for further compromise.
- Stage 3: Network and Command-and-Control (C2) Communication: GootLoader establishes a connection with external servers, known as command-and-control (C2) servers. Using encoded data transfers (often Base64-encoded), the malware sends information from the infected machine back to these servers, allowing the attackers to monitor and control their activities remotely.
The Purpose of GootLoader Attacks:
Cybercriminals use GootLoader to gather sensitive information, including financial data, passwords, and personal information, which they can later sell on the black market or use for additional scams. In some cases, GootLoader can even deploy other forms of malware, such as ransomware or tools like Cobalt Strike, which is frequently misused by hackers for further system exploitation.
How to Protect Yourself from SEO Poisoning?
In light of these complex threats, safeguarding against SEO poisoning requires a combination of cautious browsing habits and cybersecurity tools. Here’s what you can do to protect yourself:
Avoid Clicking Suspicious Links: Double-check any link before clicking. For niche or specialized information, verify the site’s credibility before accessing it.
Inspect URLs Carefully: Malicious websites often have URLs that closely resemble legitimate ones. Hover over links to see the full URL, and avoid those with unusual characters or domain extensions.
Be Cautious with Downloads: Only download files from verified sources. Even if a site appears official, make sure the file is safe by cross-checking it with antivirus software.
Use Trusted Security Software: Install reliable antivirus software that can detect and remove malware like GootLoader. Keep it updated to stay protected from new threats.
Cybersecurity Best Practices
- Stay Informed on Emerging Threats: Cyber threats evolve quickly, so keeping up-to-date with the latest cybersecurity news helps you recognize and avoid new risks.
- Don’t Rely on Search Results Alone: For important information, go directly to reputable sites instead of solely depending on search engines, which may inadvertently display harmful results.
A Technical Look at GootLoader’s Operations
To understand the intricacies of GootLoader and SEO poisoning, Sophos cybersecurity analysts conducted both static and dynamic analysis:
Static and Dynamic Analysis: Sophos analysts examined the behavior of the malicious JavaScript files both in static (non-executing) and dynamic (executing in a sandboxed environment) states. This thorough inspection allowed them to observe execution patterns, file actions, and communication protocols in real time.
Detection Techniques: Sophos’ detection measures included advanced threat-hunting tools, malware detection algorithms, and network monitoring systems, which identified GootLoader’s use of scheduled tasks, PowerShell commands, and encoded data communications.
Defensive Software: Sophos endpoint protection software is equipped to detect GootLoader through both signature-based (known malware) and behavior-based (suspicious actions) methods, providing robust protection against SEO poisoning attacks.
Conclusion
SEO poisoning, as demonstrated by the recent GootLoader campaign, highlights the sophistication of modern cybercriminal tactics. Using Google search results to mislead unsuspecting users, attackers are increasingly using SEO to lure victims to harmful sites. This is why being aware, vigilant and informed is extremely important. Users need to take extra care when clicking a link, ensuring it is a secured and trusted website.