Cyber criminals are using search-engine optimisation (SEO) tactics to direct users searching for common business forms such as invoices, receipts or other templates to hacker-controlled Google-hosted domains.
Business users are being lured to over 100,000 malicious Google sites that appear legitimate, but instead install a remote access trojan (RAT), used to gain a foothold on a network and later infect systems with ransomware, credential-stealers, banking trojans and other malware.
Hundreds of thousands of unique, malicious web pages that contain popular business terms and keywords, including business-form related keywords like template, invoice, receipt, questionnaire and resume, were found over the last week.
Cyber criminals use Google search re-direction and drive-by-download tactics to direct unsuspecting victims to the RAT— typically a person who visits the infected site simply executes a binary disguised as a PDF by clicking on a purported “form” — thus infecting his or her machine. This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code. Unfortunately, it reveals a glaring blind spot in controls, which allows users to execute untrusted binaries or script files at will.
The campaign is not only huge and far-reaching but sophisticated too. The common business terms serving as keywords for the threat actors’ search-optimisation strategy are convincing Google’s web crawler that the intended content meets conditions for a high page-rank score, which means the malicious sites will appear at the top of user searches, increasing the likelihood that victims will be lured to infected sites. Security heads and managers need to know that the threat group has gone to a lot of effort to compromise business professionals, spreading a wide net and using many tactics to successfully disguise their traps.
One recent incident was observed by researchers, in which a victim working in the financial industry was searching for a free version of a document online and was re-directed via Google Search to a Google sites page that was under the control of threat actors and included an embedded download button. It’s clear that the cyber criminals are targeting the right people, as someone working in the financial industry would be a “high-value target” of the campaign.
Once a RAT has been successfully installed on a victim’s computer, the hackers can upload additional malware to the device, such as a banking trojan, which could be used to hijack the online banking credentials of the business. Threat actors could also install a credential-stealer to harvest the employee’s email credentials and launch a business email compromise (BEC) scheme.
Neuways advises employees to consider what type of business forms, invoices, receipts etc, they use search for online. Through sharing this type of form on a centralised system such as Microsoft SharePoint, colleagues can share documents such as this, and avoid falling into sophisticated traps laid by cyber criminals. Our Phishing Awareness Training is top-of-the-class and makes businesses safer through the education of their employees. Contact us on 01283 753333 or firstname.lastname@example.org to discuss your options with us.