Until now, we believed that to advertise and promote your business or brand, Search Engine Optimization (SEO) was the best possible solution. Similarly, users relied upon the search results on popular and trusted platforms like Google and clicked on the links without thinking twice.
However, now we might need to be a bit more cautious while clicking on search engine results because cybercriminals have identified a way to exploit them as well. This is called SEO-malvertising and SERP Poisoning.
According to the analysis of security firm Cisco Talos, cybercriminals have learned the art of exploiting SEO to distribute their malicious links containing the notorious Zeus Panda banking Trojan to a wider range of users as they click on search results. This would be helpful for them in gaining more victims. A group of hacked websites is being used by the Zeus Panda group to embed keywords either in new pages or existing ones.
The Zeus Panda distribution scheme is quite interesting, noted Cisco Talos researchers, since its configuration and operation infrastructure doesn’t rely upon conventional distribution methods adopted by hackers to distribute malware. Instead, infected or compromised business websites are being used for this purpose. The hackers carefully choose these websites based on their high ratings and reviews on the search engine. That is an important step because their ratings and review would eventually lead to making the results look authentic to the victims (users).
Hackers have targeted various keyword groups in this campaign; the majority of them are linked to financial or banking related information which users are believed to be searching for on a regular basis. Furthermore, specific geographic locations have directly been singled out for the attack, and numerous keyword groups are targeted to the Middle East and India based financial institutions.
The finance-related keywords are selected on purpose by cybercriminals to ensure that the infected links are displayed so that the conversion rate gets maximized. The compromised devices are then monitored so that information about the financial platforms used by the user could be attained, and login credentials on these forums, banking details, and credit card information are obtained.