Don’t get me wrong. I know that it’s somewhat common knowledge to many people that Google search results or the ads that are intermingled with the results can often lead to malware or phishing sites. This has been a de-facto threat vector for anyone surfing the internet for the past two decades.
This way of delivering malware is often referred to as “SEO poisoning” or “SERP poisoning,” where SEO stands for search engine optimization and SERP stands for search engine results page.
Over the years, several cybercrime operations have made SEO/SERP poisoning their preferred way of delivering their malware. Typically, it would be the gangs specialized in cryptomining which often preferred this method, usually by hiding their payloads in pirated software or software license cracks.
SERP/SEO poisoning was happening, but it wasn’t everyone’s go-to method for their operations. That honor has always gone to email-based delivery channels. Spear-phishing, mass-phishing, and malspam have dominated infosec reports over the past decade, and for good reasons. Email security standards sucked, email security solutions were simplistic, and email spam delivery was cheap.
But that tide is slowly shifting, and since late 2021, a trend has been emerging in the cybercrime ecosystem, with many operations dipping their toes back into SEO/SERP poisoning as a distribution tactic, either a replacement or a companion for classic email channels.
Throughout 2022 and early 2023, we’ve had Gootkit/Gootloader, IcedID, BatLoader, PrivateLoader, NullMixer, FakeCrack, RedLine Stealer, Rhadamanthys Stealer, Vidar Stealer, Yellow Cockatoo, VagusRAT, MasquerAds, and loads loads more testing or fully embracing SEO/SERP poisoning for their operations.
More on this from Patrick Schläpfer, a malware analyst at HP Wolf Security, who will also have a report out on Wednesday on another new SEO/SERP poisoning, this time distributing the Vidar Stealer via websites mimicking Audacity, Microsoft Teams, Discord, and Adobe, all promoted through Google ads.
“Since November 2022, we’ve seen a surge of malware distributed through malicious search engine adverts, rather than traditional spam, with multiple threat actors currently using this technique. Attackers are imitating the websites of popular software projects to trick victims into infecting their computers and buying search engine adverts to drive traffic there. The fake domains closely resemble the legitimate ones, making it difficult to recognize the adverts as malicious. For example, we found 92 domains typosquatting popular software products likely used to distribute IcedID, suggesting a growing focus on this delivery mechanism among threat actors.”
The sudden rise in SEO/SERP poisoning attacks also caught the eye of the FBI’s IC3 division, which put out an alert [PDF] trying to warn consumers of the rising threat.
There are many reasons why SEO/SERP is back. Many have been discussed in this thread.
Yes, email security products are much more advanced now. Yes, running an SEO/SERP poisoning campaign is much cheaper than renting a spam botnet and expensive coders to make sure your malspam dodges email filters. Yes, online advertising companies (including Google itself) have fewer security checks to pass than a properly configured modern email security gateway. Yes, the proliferation of ad-blocking technologies has forced many ad companies to lower their standards and close their eyes to obvious malicious behavior. Yes, online ads can be used to target only a particular set of users with your malware, something that email was never accurate at.
These operations are back in bulk. If you’re a malware researcher, it’s hard not to see an obvious shift in malware distribution trends these days.
Primarily because of its dominance in both online search and ads, Google hosts most of these campaigns.
The most annoying part of all of this is that Google’s support and security teams appear to have been caught on the back foot and are completely unprepared for what’s currently going on. Both security researchers and companies who had their brands abused say they’ve found it difficult to get Google to act and remove the malicious content from search results, a situation that invites more abuse for the foreseeable future.