Cisco Talos researchers discovered threat actors were using what's known as poisoned search results -- also known...
as SERP poisoning -- to spread the Zeus Panda banking Trojan through Google. How does search engine poisoning work, and how can users spot it in the wild?
We've all become accustomed to using search engines to look up things we want to learn more about, with the intention of being directed toward completing a task or guiding us toward a purchase on the internet. This can be anything, from learning about technology, directions to a restaurant or even sports scores.
We've also become spoiled by search engines, primarily Google, by having the most relevant websites put on the first page of the results -- we trust things that are higher in their ranking. This is done with search engine optimization (SEO) to get sites with the best ranking to the top of the list. This is big business for marketing, and malicious actors have noticed.
Cisco Talos researchers found the Panda banking Trojan being spread by targeting particular finance-related keywords to have their poisoned site pushed higher up on the ranking. Attackers are always looking for different ways to spread their malware. Search engine poisoning has been used in the past, but it continues to be a constant attack method in their bag of tricks.
This attack is done many times by not only using the keywords themselves, but by compromising a web server that might already have a high ranking with limited security. This allows them to show legitimate sites with a ranking and possibly even customer reviews that help trick people into thinking the site is safe. As always, attackers are using a false sense of trust to deceive their victims into feeling safe.
Many of these poisoned search results will make use of sponsored links to redirect or reference their malicious sites, run malicious code on the legitimate web server, or perform cross-site scripting to have you directed to sites that are running malware or malicious code. These can be particularly difficult to detect at times, and there have been documented cases where sites have been infected like this for well over a year.
If you're performing SEO on your site and you see a sharp drop in your ranking, then it's possible someone has taken control over it or is using your site in a way that you're not intending; this will drop your ranking, reduce reputation and cause harm to other people.
Many search companies try to prevent search engine poisoning by using bots to scan through and determine where pages are being redirected; however, there are always ways to bypass this, as search engines are getting better, but they're nowhere near perfect. To protect yourself from these techniques, you should take notice if a site is being pushed up on a ranking that has nothing to do with your search.
Some browsers will notify you if there's something that's out of the ordinary, and there are a few plug-ins that can be downloaded for Chrome and Firefox that help reduce this threat. Nothing is perfect, but having the proper awareness and layered security will go a long way in protecting against search engine poisoning.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Matthew Pascucci
Container security continues to be a pressing issue as containers and hosts are being used more frequently. Learn how to keep your enterprise safe ... Continue Reading
While there are no set rules, there are some security recommendations when it comes to virtual machines running on one host. Learn the best practices... Continue Reading
A report from CrowdStrike highlights the growth of malware-less attacks using certain command-line tools. Learn how to handle these growing attacks ... Continue Reading