Tuesday, January 31, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

SEO poisoning attacks on the rise in 2023

Researcher by Researcher
January 25, 2023
in Cybersecurity
0
SEO poisoning attacks on the rise in 2023
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


A new research report from SentinelOne exposes a SEO poisoning attack campaign that hijacks brand names in paid search ads.

A user discovers malware delivered via poisoned SEO.
Image: SizeSquare’s/Adobe Stock

SentinelOne has reported an increase in malicious search engine advertisements in recent weeks. The researchers explain that attackers using search engine optimization poisoning are generally more successful “when they SEO poison the results of popular downloads associated with organizations that do not have extensive internal brand protection resources.”

Jump to:

Related articles

Novel Malware Installed in VMware ESXi Attacks

VMware Fixes vRealize Log Insight RCE Bugs

January 31, 2023
Securing CI/CD. There are many organizations moving to… | by Binu Panicker | Jan, 2023

Securing CI/CD. There are many organizations moving to… | by Binu Panicker | Jan, 2023

January 30, 2023

What is an SEO poisoning attack?

SEO poisoning attacks consist of altering search engines results so that the first advertised links actually lead to attacker controlled sites, generally to infect visitors with malware or to attract more people on ad fraud. SentinelOne provided an example of a recent SEO poisoning campaign in their report.

SEE: Mobile device security policy (TechRepublic Premium)

The Blender 3D SEO poisoning campaign

A routine search on Google’s search engine for the brand name Blender 3D, an open-source 3D graphics design software, provided the following results on Jan. 18, 2023 (Figure A):

Figure A

Google search engine results shows three fraudulent ads when looking for Blender 3D.
Image: SentinelOne. Google search engine results shows three fraudulent ads when looking for Blender 3D.

A user who doesn’t read the URL closely or is unsure of the exact URL of the software might click on any of those attacker-controlled domains, which could result in a compromise.

Must-read security coverage

The malicious top result blender-s.org is a near exact copy of the legitimate website from Blender, yet the download link does not lead to a download on blender.org but to a DropBox URL delivering a blender.zip file.

The second malicious website at blenders.org is similar: It shows a near perfect copy of the legitimate Blender website, yet the download link leads to another DropBox URL, also delivering a blender.zip file.

The third and last malicious website is also a copy of the legitimate one, yet it provides a Discord URL and delivers a file named blender-3.4.1-windows-x64.zip.

The SEO poisoning payloads

The zip files which are downloaded from Dropbox contain executable files. The first one immediately raises suspicion as it shows an invalid certificate from AVG Technologies USA, LLC (Figure B) which has been already observed as being used by other malware including the infamous Racoon Stealer.

Figure B

Invalid certificate used by the malicious executable.
Invalid certificate used by the malicious executable.

It is also worth mentioning that the zip file has a size that is less than 2 MB, but the executable file extracted from it is close to 500 MB. This is probably an attempt to bypass some security solutions who do not analyze such big files.

According to VirusTotal, the malware might be the Vidar malware (Figure C), an information stealer with the ability to steal financial information, passwords and browsing history from browsers, password managers and cryptocurrency wallets.

Figure C

Zip file contains Vidar malware with an identified C2 server.
Image: VirusTotal. Zip file contains Vidar malware with an identified C2 server.

The second zip file, unknown to VirusTotal, might be similar, as the zip file has the same size and has been created five minutes after the first one. The final file, downloaded from Discord, contains an ISO file that is probably also malicious.

Widening the attack surface

According to SentinelOne researchers, the threat actor behind the first two malicious websites are also responsible for dozens of other similar websites, always impersonating popular software such as Photoshop or remote access software.

All of those websites were quickly blocked by CloudFlare, whose services were used by the cybercriminals. Any user attempting to connect to the fraudulent websites is now shown a warning page from CloudFlare mentioning their phishy nature.

How to mitigate this threat and protect your company’s reputation

As mentioned, SEO poisoning attackers usually choose to impersonate popular products or brands in order to run their malicious operations. This has a huge impact on users, as they might end up being compromised by malware, which can lead to stolen data. Yet it also has a huge impact on companies, as the average user often does not understand this kind of fraud and in the end thinks that the real brand is responsible.

Companies with very popular products or brands should be careful about their brands and deploy security solutions to help them detect such fraud before it’s too late.

For starters, organizations should carefully check every new domain that is registered on the Internet that contains similarities with any of their brands or names. As fraudsters often register domain names that are very similar to the legitimate ones, it is possible to detect them within 48 hours in most cases, immediately analyze the situation and take action to mitigate the risk.

Companies can work on the legal side to have the fraudulent domains transferred to them when they can justify that a trademark infringement exists, but that might take a while. In the meantime, should any fraudulent content appear on the fraudulent domain, they might want to shut it down by contacting the hosting company, registrar or DNS provider to render the fraud unreachable.

Finally, companies can preventively register different variants of their legitimate domain names so that fraudsters can’t do so. However, this method takes energy and money, and not every company may want to go down this path.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.



Source link

Tags: AttackspoisoningRiseSEO
Share76Tweet47

Related Posts

Novel Malware Installed in VMware ESXi Attacks

VMware Fixes vRealize Log Insight RCE Bugs

January 31, 2023
0

VMware has released updates for a group of four vulnerabilities in its vRealize Log Insight logging platform, three of which...

Securing CI/CD. There are many organizations moving to… | by Binu Panicker | Jan, 2023

Securing CI/CD. There are many organizations moving to… | by Binu Panicker | Jan, 2023

January 30, 2023
0

There are many organizations moving to the cloud every day. Some are developing software at a fast pace, some are...

The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment

The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment

January 30, 2023
0

On Friday, January 20, 2023, Google announced it would lay off 12,000 employees. Amazon and Microsoft have laid off a...

How IT Budgets Should Fill Cybersecurity Moats in 2023

How IT Budgets Should Fill Cybersecurity Moats in 2023

January 30, 2023
0

TechRepublic speaks with Carlos Morales of Neustar Security Services on the best ways for companies to spend on cybersecurity —...

Boosting Data Security with AI and Blockchain | by Binu Panicker | Jan, 2023

Boosting Data Security with AI and Blockchain | by Binu Panicker | Jan, 2023

January 30, 2023
0

Today, data is considered the new oil and rightly so because the amount and type of data collected on people...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
A first look at threat intelligence and threat hunting tools

A first look at threat intelligence and threat hunting tools

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
Novel Malware Installed in VMware ESXi Attacks

VMware Fixes vRealize Log Insight RCE Bugs

January 31, 2023
KITMEK Launches $1 Digital Only School for Children Across MENA

KITMEK Launches $1 Digital Only School for Children Across MENA

January 31, 2023
Whole-Network Visualization With Meraki Dashboard

Whole-Network Visualization With Meraki Dashboard

January 31, 2023
Securing CI/CD. There are many organizations moving to… | by Binu Panicker | Jan, 2023

Securing CI/CD. There are many organizations moving to… | by Binu Panicker | Jan, 2023

January 30, 2023

Recent Posts

Novel Malware Installed in VMware ESXi Attacks

VMware Fixes vRealize Log Insight RCE Bugs

January 31, 2023
KITMEK Launches $1 Digital Only School for Children Across MENA

KITMEK Launches $1 Digital Only School for Children Across MENA

January 31, 2023
Whole-Network Visualization With Meraki Dashboard

Whole-Network Visualization With Meraki Dashboard

January 31, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cybersecurity Data Digital exploited financial Finds Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches Payments platform Ransomware RoundUp security Software TFT Threat Top vulnerabilities vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved