In a novel attack method, hackers have been exploiting previously compromised sites and SEO methods to infect users with a banking Trojan.
Researchers have discovered that threat actors have been exploiting Google algorithms in order to inject users’ devices with banking malware. So far, the research has determined that hackers utilized search engine optimisation (SEO) methods to launch their campaign.
The security division of the tech company, Cisco, known as Talos discovered the latest hacking campaign. Researchers from Talos discovered that the attackers were exploiting previously compromised websites and specific keyword sets in order to rank higher on Google searches. The attack was noteworthy as it was financial in nature and yet did not use traditional phishing emails.
The payload that the hackers used appeared to be an updated version of “Zeus Panda”. This Trojan was used previously by threat actors to steal financial information and banking login credentials.
The threat actors successfully managed to display their compromised sites first in search results. So far, it is still unclear who is behind the attack.
Search terms that the hackers used included: “free online books for bank clerk exam”, “how to cancel a cheque commonwealth bank”, and “axis bank mobile banking download link”.
The researchers detailed their findings in a blog post on the firm’s website. According to the post, certain regions were more targeted than others. The most affected areas appeared to bank in India and the Middle East.
Once a user clicked on a malicious link, they were immediately redirected to a compromised site. In turn, the site would display a compromised Microsoft Word document. Once the user opened the document, the Trojan could infect their device.
According to the Talos team, this attack method could prove to be very damaging in its scope as most individuals have become accustomed to frequent Googling. However, the team cautioned that not all links in a Google search are necessarily safe.
The team confirmed that the hackers responsible have exploited this common behavior when they utilized SEO phrases to ensure that their links would appear first. In turn, this allowed them to infect unsuspecting users with the Zeus Panda Trojan.
However, researchers did commend the innovative attack method. Generally, hackers seeking to launch banking hack campaigns, rely on phishing emails. Exploiting SEO phrases is an entirely new approach, which could perhaps be more used in the future.
Despite the novel approach to banking scams, the scam’s evolvement poses a formidable threat to users in the future. The Talos team stated that this latest attack is indicative of the determination on the part of hackers to spread malware and steal information for their own gain.
The team concluded by stating that all users online must always be vigilant. Do not click on new links unknowingly and never open attachments that you don’t trust.
They stressed that users must “remain vigilant and think twice before clicking a link, opening an attachment or even blinding trusting the results of a Google search.”