There have now been incidences of a cyber attack known as SEO Poisoning. This is where adversaries artificially increase a search engine ranking for websites hosting their malware to lure potential victims. A problem that is on the rise. It has now been seen where the REvil ransomeware has been distributed and another where a backdoor called SolarMarker has been installed on the unwary.
This is fairly new and is still being analysed by the larger cyber security companies but it appears that attacks are mounted to target users instead of organisations and may be driven by cyber criminals looking to take advantage of remote work environments created by the pandemic, there the lines between personal and business devices in use have blurred. This is especially true of SMEs where many, in a rush to keep their businesses afloat during lockdowns, had their staff working from home, using their own devices as the company did not have sufficient equipment or budget to send them home with company equipment.
So how does this work? Cyber criminals first compromise legitimate websites and then inject specific keywords into the website that users might commonly search for via their preferred search engine. The aim is to ensure that the compromised website surfaces near or on top of the search engine results when a user searches for something using keywords.
In the SolarMarker attack, observed by Menlo Security, users who clicked on the poisoned link were directed to a malicious PDF hosted on the compromised site and eventually ended up with a backdoor on their systems. Menlo have reported that it observed over 2000 unique search terms that led users to sites hosting SolarMarker. Examples included "blue-jacket-of-the-quarter-write-up- examples," "industrial-hygiene-walk-through-survey-checklist," and "Sports Mental Toughness Questionnaire." The campaign targeted users across numerous industry verticals, including automotive, retail, financial services, manufacturing, transportation, and telecommunications. Website hosting the malicious PDF were scattered around the world.
SEO Poisoning appears to be a relatively effective way for attackers to distribute malware or lure users to malicious sites and a fairly high percentage of users clicked on the malicious link in the search engine. Menlo says that about 42% of users who searched for a certain term eventually ended up clicking on the link in the malicious PDF, which would drop the malware, proving the effectiveness of this attack.
Menlo Security also reported that all the compromised sites in the SolarMarker campaign were WordPress sites that contained a plug-in called Formidable Forms. However they stress that there is no clear evidence that the plug-in played any role in allowing attackers to break into the sites.
The attackers are also using relatively simple evasion techniques such as using large=sized payloads, to try and sneak the malware past anti-malware tools, many of which have a file size limit on what they can or cannot analyze.
As far as SMEs are concerned, who do not have sophisticated and expensive monitoring in place, and rely on the standard anti-malware tools, this is a pointer to the fact that they cannot always rely on technology and that the cyber security awareness of their staff, and the dangers of using home based equipment, play an important role.