fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Ransomware Gangs Use SEO Poisoning to Infect Visitors

Ransomware Gangs Use SEO Poisoning to Infect Visitors

Researchers have spotted two campaigns linked to either the REvil ransomware gang or the SolarMarker backdoor that use SEO poisoning to serve payloads to targets.

SEO poisoning, also known as “search poisoning,” is an attack method that relies on optimizing websites using ‘black hat’ SEO techniques to rank higher in Google search results.

Due to their high ranking, victims who land on these sites believe they are legitimate, and actors enjoy a heavy influx of visitors who look for specific keywords.

Also Read: Battling Cyber Threats in 4 Simple Ways

SEO for ransomware

According to the findings of the Menlo Security team, SEO poisoning by malware distributors is on the rise, with two notable examples being the Gootloader and SolarMarket campaigns.

The actors inject sites with keywords that cover over 2,000 unique search terms, including “sports mental toughness,” “industrial hygiene walk-through,” “five levels of professional development evaluation,” and more.

The optimized sites appear in search results as PDFs that, when visited, prompt a user to download the document, as shown below.

blue-jacket-of-the-quarter-write-up-examples
Malicious site prompting a visitor to download a PDF document
Source: Menlo Security

When they click on the download button, the users are redirected through a series of sites that ultimately drop a malicious payload.

The threat actors use these redirects to prevent their sites from being removed from the search results for hosting malicious content.

In these particular campaigns, the threat actors were either dropping REvil via Gootloader or the SolarMarker backdoor.

Also Read: What is Smishing? How Can We Prevent It? Explained.

Exploiting a WordPress plugin vulnerability

In the two campaigns spotted by the researchers, the actors didn’t create their own malicious sites but instead hacked legitimate WordPress sites that already had a good Google search ranking.

The sites were hacked by abusing an undisclosed flaw in the ‘Formidable Forms’ WordPress plugin, which the hackers used to upload laced PDF into the ‘/wp-content/uploads/formidable/’ folder.

If you are using this particular plugin, upgrading to version 5.0.10 or later is advisable, even though 5.0.07 was the most recent version spotted in the compromised set.

The industry verticals for the types of sites compromised in this campaign are shown in the chart below.

Types of sites compromised with laced PDF files
Types of sites compromised with laced PDF files
Source: Menlo Security

As you can see from the image above, the attackers heavily targeted sites in the business category, likely because they commonly host PDFs in the form of guides and reports.

Spreading a wider net

When modern encrypting ransomware first launched in 2012, threat actors would spread a wide net in their attacks in the hopes of infecting as many people as possible.

As ransomware gangs are now targeting high value companies for multi-million dollar payouts, this spray and pray approach is not seen as often as you likely will infect consumers who would not be willing to pay large ransoms.

However, BleepingComputer knows of one REvil affiliate who performed wide-scale attacks to infect consumers and small businesses alike.

Instead of demanding hundreds, if not millions of dollars as ransoms, this affiliate would demand between $1,500 and $7,500.

While it is not known if this affiliate utilized SEO poisoning attacks, this type of attack would have fit their model of indiscriminately targeting any kind of victims.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us