Search Engine Optimisation (SEO) Poisoning is growing to be a popular technique with an unusually large quantity of malicious campaigns being observed recently.

SEO poisoning is an attack vector whereby threat actors manipulate SEO rankings to deliver malicious payloads.

In an SEO Poisoning technique known as Malvertising, actors manipulate search engine rankings through purchasing legitimate sponsored advertisements and having their website appear at the top of search results.

Techniques such as malvertising are becoming increasingly common as traditional techniques such as malicious Microsoft Office macros are no longer proving as successful.

Whilst SEO Poisoning is a long-standing cyber threat, multiple campaigns masquerading as legitimate software such as VLC Media Player, 7-Zip, WinRAR, CCleaner, and Notepad++ have been observed in recent times.

Palo Alto's Unit 42 threat intelligence team have observed 7-Zip malvertising through Google adverts to deliver the Redline (information) Stealer and the Gozi banking trojan - indicating that the actors are likely financially motivated.

Information stealers provide the threat actor with information such as banking/cryptocurrency credentials, browser cookies, session tokens, and more.

This information can then be used to conduct further attacks or sold on illicit marketplaces to other threat actors.

Malvertising for CCleaner has also been observed distributing the Redline Stealer. The malware can be bought on cybercriminal forums on a standalone or subscription basis to accommodate for all budgets, offering typical Infostealer capabilities amongst the ability to steal cryptocurrency, upload and download files, and even execute commands.

In their malvertising exposé, HP's Wolf Security team shared observations around campaigns that have been active since late Q4 2022 - mimicking software such as Audacity, Blender and GIMP.

HP also shared insights into IcedID and infostealers such as Vidar Stealer, Rhadamanthys Stealer, and BatLoader which are all in use by malvertising campaigns.

Organisations should be aware that increased activity surrounding malvertising campaigns is currently ongoing and may continue to develop as a trend in 2023.

When using search engines such as Google, personnel should also be cautious of the web domain they are visiting and aware of how to spot typosquatting and impersonation attempts.

Additionally, software should only be downloaded from official channels such as an organisation portal or vendor stores like the Microsoft Windows Store where possible.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).