Don’t get me wrong. I know that it’s somewhat common knowledge to many people that Google search results or the ads that are intermingled with the results can often lead to malware or phishing sites. This has been a de-facto threat vector for anyone surfing the internet for the past two decades.
This way of delivering malware is often referred to as “SEO poisoning” or “SERP poisoning,” where SEO stands for search engine optimization and SERP stands for search engine results page.
Over the years, several cybercrime operations have made SEO/SERP poisoning their preferred way of delivering their malware. Typically, it would be the gangs specialized in cryptomining which often preferred this method, usually by hiding their payloads in pirated software or software license cracks.
SERP/SEO poisoning was happening, but it wasn’t everyone’s go-to method for their operations. That honor has always gone to email-based delivery channels. Spear-phishing, mass-phishing, and malspam have dominated infosec reports over the past decade, and for good reasons. Email security standards sucked, email security solutions were simplistic, and email spam delivery was cheap.
But that tide is slowly shifting, and since late 2021, a trend has been emerging in the cybercrime ecosystem, with many operations dipping their toes back into SEO/SERP poisoning as a distribution tactic, either a replacement or a companion for classic email channels.
My main takeway from reading this report: Several of the top threat actors have relied quite a lot on SEO/SERP poisoning to infect victims last year.
— Catalin Cimpanu (@campuscodi) March 22, 2022
Throughout 2022 and early 2023, we’ve had Gootkit/Gootloader, IcedID, BatLoader, PrivateLoader, NullMixer, FakeCrack, RedLine Stealer, Rhadamanthys Stealer, Vidar Stealer, Yellow Cockatoo, VagusRAT, MasquerAds, and loads loads more testing or fully embracing SEO/SERP poisoning for their operations.
More on this from Patrick Schläpfer, a malware analyst at HP Wolf Security, who will also have a report out on Wednesday on another new SEO/SERP poisoning, this time distributing the Vidar Stealer via websites mimicking Audacity, Microsoft Teams, Discord, and Adobe, all promoted through Google ads.
“Since November 2022, we’ve seen a surge of malware distributed through malicious search engine adverts, rather than traditional spam, with multiple threat actors currently using this technique. Attackers are imitating the websites of popular software projects to trick victims into infecting their computers and buying search engine adverts to drive traffic there. The fake domains closely resemble the legitimate ones, making it difficult to recognize the adverts as malicious. For example, we found 92 domains typosquatting popular software products likely used to distribute IcedID, suggesting a growing focus on this delivery mechanism among threat actors.”
The sudden rise in SEO/SERP poisoning attacks also caught the eye of the FBI’s IC3 division, which put out an alert [PDF] trying to warn consumers of the rising threat.
There are many reasons why SEO/SERP is back. Many have been discussed in this thread.
Is the rise of Google Ad malvertising, SEO poisoning, and common software domain typosquatting merely evidence of how much email filtering has improved? Vidar, Redline, Batloader, GootLoader, PrivateLoader, IcedID, and others are all using it now.
— Will (@BushidoToken) January 16, 2023
Yes, email security products are much more advanced now. Yes, running an SEO/SERP poisoning campaign is much cheaper than renting a spam botnet and expensive coders to make sure your malspam dodges email filters. Yes, online advertising companies (including Google itself) have fewer security checks to pass than a properly configured modern email security gateway. Yes, the proliferation of ad-blocking technologies has forced many ad companies to lower their standards and close their eyes to obvious malicious behavior. Yes, online ads can be used to target only a particular set of users with your malware, something that email was never accurate at.
These operations are back in bulk. If you’re a malware researcher, it’s hard not to see an obvious shift in malware distribution trends these days.
1/ THIS IS BAD!!!
Search for "OBS" in Google and you get, not 1, but 5 (❗️) malicious ads in the first links/results 😱
All part of a new #Rhadamanthys stealer campaign with new tricks and mainly targeting streamers. pic.twitter.com/Y6Sa3lRTTd
— Germán Fernández (@1ZRR4H) January 15, 2023
Why malvertising/seo poisoning is the new meta. It is highly successful because we have created an ecosystem of lazy searching and clicking on the first link instead of verifying or even typing the domains of trusted sites. When the address bar/search bar merged it created this. https://t.co/UXXDce3rPk
— Joe Roosen (@JRoosen) January 15, 2023
Note that this OBS thing isn't an anomaly.
Go ahead and search for about anything that you can download.
The first hits are malware links that Google gets paid money to promote.
Just business as usual…https://t.co/S4205hpWanhttps://t.co/1LOMPzYA35https://t.co/Nw9yFoTWaJ pic.twitter.com/OaQ5U3ETSp
— Will Dormann (@wdormann) January 17, 2023
seen a huge uptick in compromises because of Google ads pushing the likes of redline.
— Lucy (@LucyIsOpal) January 15, 2023
Primarily because of its dominance in both online search and ads, Google hosts most of these campaigns.
The most annoying part of all of this is that Google’s support and security teams appear to have been caught on the back foot and are completely unprepared for what’s currently going on. Both security researchers and companies who had their brands abused say they’ve found it difficult to get Google to act and remove the malicious content from search results, a situation that invites more abuse for the foreseeable future.
We are still seeing many users fall victim to fake websites in @Google sponsored links distributing malware. Many of them mimic the appearance of the real site.
We do not have any ads for OBS!
Please ONLY download from our official website https://t.co/Z9F2dM5HFM or our GitHub! pic.twitter.com/jgJ1XvklqP
— OBS (@OBSProject) January 16, 2023