Cybercriminals are deploying search engine optimization (SEO) tricks to push malicious domains up the Google search rankings, security researchers have discovered.
According to a report from the security team at AT&T, in addition to distributing malware via email campaigns, the operators behind the infamous Sodinokini ransomware are targeting keyphrases commonly punched into Google.
“There’s a saying that nothing can be certain, except death and taxes; in today’s cyber threat landscape, we can add ransomware to that shortlist,” wrote Ken Ng, a researcher at AT&T. “In this incident, one of [our] customers almost had an incident at the crossroads of taxes and ransomware.”
SEO for cybercriminals
Although the attack was mitigated automatically by the security protections in place, AT&T believed the incident warranted further investigation, as it was not immediately clear how the individual had ended up with the infection.
When researchers eventually tracked down the offending domain, they found it stood out because it used HTTP, not HTTPS (a more secure protocol), and because the URL itself had nothing to do with the headline of the page, which had been crafted with SEO in mind.
The page itself was reportedly “extremely suspicious and sparse”, containing a link to download the answer to the original search query: “does Missouri have a reciprocal agreement with Kansas?”.
The specificity of this level of targeting is alarming (after all, a comparatively small number of people are likely to be making this particular query) and begs the question: how many other key terms are Sodinokibi and other cybercriminals targeting?
To shield against attacks of this kind, users are advised to ensure their devices are protected by a leading antivirus service, to steer clear of websites not protected by HTTPS and to avoid downloading content from unfamiliar sources.