From cryptojacking websites to using legitimate-looking URLs, the techniques being used by cybercriminals keep changing at such a rate that even tech savvy users sometimes fall for their tricks. A new attack technique has now been identified where attackers are using Google's search engine optimization (SEO) to infect users with banking trojan.
Same Zeus Panda banking trojan - different distribution channels
Security researchers at Cisco Talos have revealed that attackers are using SEO techniques to leverage favorable Google SERP (Search Engine Results Pages) ranking of popular sites. By adding keywords in the hacked websites, these malicious pages are then ranked at the top of the Google search results for specific and carefully chosen queries - banking and financial questions.
"In this case 'al rajhi bank working hours in ramadan,'" the search led to a malicious link that was ranked at the top of the search results, lending authenticity to the website.
As seen in the above screenshots, attackers' use of compromised websites that carry ratings, reviews, and show up at the top lend these pages more legitimacy. Once a user clicks on them, they find themselves on a hacked site, from where they are redirected to other pages displaying malicious ads and/or malicious documents.
"By poisoning the search results for specific banking related keywords, the attackers were able to effectively target specific users in a novel fashion," researchers wrote. In their research, Talos said that attackers used a number of keywords to rank these pages, including:
"nordea sweden bank account number"
"al rajhi bank working hours during ramadan"
"how many digits in karur vysya bank account number"
"free online books for bank clerk exam"
"how to cancel a cheque commonwealth bank"
"salary slip format in excel with formula free download"
"bank of baroda account balance check"
"bank guarantee format mt760"
"free online books for bank clerk exam"
"sbi bank recurring deposit form"
"axis bank mobile banking download link"
Apparently these tricks have been in use for the last several months as the Zeus Panda group has been found using SEO poisoning to spread malware and target only those seeking information of specific banks since at least June.
SEO poisoning - what happens next
Wondering what happens when a visitor is finally on the malicious website? Researchers explained that the compromised sites use JavaScript to redirect clients to JavaScript hosted on an intermediary site. "The intermediary server will then respond with a HTTP 302 which redirects clients to another compromised site which is actually being used to host a malicious Word document," they added. "As a result, the client will follow this redirection and download the malicious document."
This is a technique commonly referred to as "302 cushioning" and is commonly employed by exploit kits.
In a multi-stage attack, once the user downloads the file, they are presented with a browser prompt to either open or save it. Once open, the document displays prompts the victim to "Enable Editing" and click "Enable Content".
Finally the malicious macros are executed, infecting the system. Cisco adds that the malware isn't activated if it detects Russian, Belarusian, Kazak, or Ukrainian language on the operating system, possibly to avoid infecting systems in their own region - a common strategy followed by hackers to avoid local law enforcement.
Using spam botnets of hacked websites or hacking those that have a good ranking and then rank them for their keywords, the attackers (Zeus Panda group) manages to infect victims without sending them malicious emails. Victims are also more likely to download the malicious files since these pages are considered legitimate thanks to their high ranking.
It should be noted that despite the clever use of SEO poisoning, attackers are still relying on users to download the malicious files and to have macros enabled. While not as sophisticated in the later stages of the attack, it caught researchers' attention as it did not rely on traditional distribution methods.
"This is another example of how attackers regularly refine and change their techniques and illustrates why ongoing consumption of threat intelligence is essential for ensuring that organizations remain protected against new threats over time," Talos wrote.
