SEO wizardry abused to push malware into Google search rankings

Google search
(Image credit: Shutterstock / HaseHoch2)

Cybercriminals are deploying search engine optimization (SEO) tricks to push malicious domains up the Google search rankings, security researchers have discovered.

According to a report from the security team at AT&T, in addition to distributing malware via email campaigns, the operators behind the infamous Sodinokini ransomware are targeting keyphrases commonly punched into Google.

In the scenario analyzed in the report, a client ended up downloading a rigged JavaScript file from a malicious domain. The website had appeared on the first page of Google, in eighth position, for the search term “Missouri and Kansas tax reciprocity”. 

“There’s a saying that nothing can be certain, except death and taxes; in today’s cyber threat landscape, we can add ransomware to that shortlist,” wrote Ken Ng, a researcher at AT&T. “In this incident, one of [our] customers almost had an incident at the crossroads of taxes and ransomware.”

SEO for cybercriminals

Although the attack was mitigated automatically by the security protections in place, AT&T believed the incident warranted further investigation, as it was not immediately clear how the individual had ended up with the infection.

“Once we had an idea of what the JavaScript led to, we could attempt to find how the user potentially got the file,” AT&T explained. “Leveraging the information from the file name, plus some context with the one PDF the user was able to get from a legitimate site, we were able to emulate the user’s actions.”

When researchers eventually tracked down the offending domain, they found it stood out because it used HTTP, not HTTPS (a more secure protocol), and because the URL itself had nothing to do with the headline of the page, which had been crafted with SEO in mind.

The page itself was reportedly “extremely suspicious and sparse”, containing a link to download the answer to the original search query: “does Missouri have a reciprocal agreement with Kansas?”.

The specificity of this level of targeting is alarming (after all, a comparatively small number of people are likely to be making this particular query) and begs the question: how many other key terms are Sodinokibi and other cybercriminals targeting?

To shield against attacks of this kind, users are advised to ensure their devices are protected by a leading antivirus service, to steer clear of websites not protected by HTTPS and to avoid downloading content from unfamiliar sources.

Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.