Increase in malware downloads driven by SEO techniques

Attackers use search engine optimization (SEO) techniques to improve the ranking of malicious PDFs on search engines including Google and Microsoft Bing, according to Netskope. Report.

The results indicated that cybercriminals are taking advantage of various social engineering techniques – including search engine optimization – and various Trojan families, including those delivered via PDF, to target victims more effectively.

The report found that Trojans account for 77% of all malware downloads on the cloud and the web, and are used to gain an initial foothold and to deliver a variety of next-stage payloads, including backdoors, hijackers, and ransomware.

The biggest concern is the spread of malware across major search engine results, said Ray Kanzanis, director of Netskope Threat Labs, adding that phishing downloads are on the rise.

“This is a relatively new and unfamiliar vector for transmitting malware that people don’t know very much about; therefore, they are more likely to fall victim to it.” We do a lot of training around email, texting and social media. But not so much with search engine results. Users may be more likely to be wary. “

SEO targets users when their guard is down

For a phishing or scam attack to succeed, he said, you need to be able to reach your victims, and if you get to them somewhere where their guard is off, they may be more vulnerable to the attack.

“This PDF-plus-SEO technology is exactly how attackers have shown success in accessing users when their guard is likely to be down because they are actively looking for information,” he said.

Kanzanese pointed out two main solutions: First, make users aware that this is happening. Users should be extra careful when clicking on PDF files in search engine results.

“If the PDF contains what looks like a CAPTCHA, it is probably a phishing attack or a scam,” he said.

Second, put the technical controls in place. A web security solution that checks all web traffic will be able to intercept and prevent this type of attack. He added that attackers will continue to adapt and find new ways to reach their victims – the rise of the SEO PDF attack is just one example.

“At the same time, we’ve seen a decrease in the number of malicious Office file downloads, as new security controls introduced by Google and Microsoft have made it more difficult for attackers to launch successful attacks using those platforms,” ​​Kanzanis explained.

Nearly half (47%) of malware downloads originated from cloud apps compared to 53% from traditional websites, where attackers continued to use a combination of the cloud and the web to target their victims.

Most malware downloads originate from servers located in the same regions as their victims, with attackers spreading their malware all over the world to evade geofence.

Cybercriminals: The Next Big Business

Patrick Harr, CEO of SlashNext, an anti-phishing company, said cybercriminals operate just like any traditional company, providing benefits to employees, taking the weekend off and improving their productivity to be more successful.

“The most worrying component of this survey is the improved tactics of cybercriminals in general,” he said. “It is structured and uses the latest technologies to be more successful, including SEO, trusted services, machine learning, and automation tools.”

He explained that SEO to improve results with SEO is a key component to improving the visibility of a product or service, and for cybercriminals, their product is phishing, malware or rogue software.

“It is not surprising that this happens. For this to work, malicious URLs must be masked so that search engines do not see them as malicious.” “This is why we’ve seen a huge increase in the use of trusted cloud services to mask malicious URLs.”

broken trust

He explained that a security technique that uses URL rewriting for domain reputation and trust graphs will not be able to detect these types of malicious URLs hiding in trusted services.

Har said that SlashNext has seen a 200% increase in trusted domains used to deliver malicious attacks because these methods have been so successful for cybercriminals; Most security technologies haven’t caught up with these types of attacks.

He added that the use of AI-powered security services that use computer vision and real-time scanning will find these types of technologies and the use of these security services in the browser will help keep the organization’s employees safe.

The most worrying discovery is the use of SEO to target victims, said Savio Lau, employee security intelligence researcher at Lookout, a security services provider (SSE).

“Most people trust the results that search engines provide, so they don’t care as much about comparing the links they receive from other means,” he said. “This also explains why attackers resort to SEO techniques to improve their effectiveness.”

This shows how attackers use trusted sources or data points against victims to increase the effectiveness of their malicious campaigns.

“Security teams must be vigilant about recent attack trends and remove the attack surface, such as having a security solution in place to detect these attacks and limit the types of files allowed,” he added. “It is also important to make users aware of the dangers of online material – even if the results are from a search engine. Even as attack techniques change, educated users are still less likely to fall victim to attacks.”

One particularly interesting data point, he added, is the success of changes made in Microsoft Office that are put in place to curb attacks that take advantage of malicious Office documents. After these changes, he said, the cyber attackers changed their approach to use other available methods.

“We’ve already seen attackers change their tactics and switch to using PDFs as part of these attacks rather than Word documents or spreadsheets,” Lau said. “Both attackers and defenders continue to adapt their tactics as security improves and new weaknesses and tactics are discovered.”

Leave a Comment

Your email address will not be published.