SEO in the Service of Hackers

Delaware, USA – November 3, 2017 – Adversaries leverage a new technique to infect victims. Researchers from Cisco Talos have discovered a botnet from more than 30 websites used to spread a new version of the Zeus Panda banking Trojan. Hacked sites are quite often used by attackers, for example, as a botnet for cryptocurrency miners distribution or as a vector of spreading Bad Rabbit Ransomware. But in this case threat actors used something new: they used Search Engine Optimization (SEO) to bring the hacked sites to the top positions in Google search. They added keywords for specific requests related to banking. Their attack primarily targeted India and the Middle East. The sites used Javascript to redirect users to attacker’s server from which the malicious document was downloaded. If the user opened the document and enabled macros, Zeus Panda Trojan was downloaded and installed on his computer.

The new technique of attracting victims to infected sites using SEO has not yet spread, but the attackers quickly adopt effective methods from each other. Now you need even more careful control over the websites, and if possible, implement the whitelisting of IP addresses. Also, you can monitor the security of your sites using Web Application Security Framework for ArcSight. This use case detects and notifies SIEM administrator about any suspicious activity associated with the company’s web applications.