Scammers are optimizing SEO results to lure victims

Don’t be duped by top ranked results that seem too good to be true

unnamed-3

Google, Bing, Yahoo, Yandex, and Baidu are some of the world’s top search engines and serve as the starting point for millions of internet users seeking information. Most people probably don’t browse past the first two or three pages of search results, which is why website owners aim to get their site to appear among the top results, to attract site visitors. Website owners do this using a process called search engine optimization (or SEO). Businesses rely on good reviews, Google Maps, and optimized content to ensure their websites are well tuned to be easily searched and shown in results.

Scammers have realized that they can also use SEO to find more victims and convince them into clicking on a link if their websites appear higher in search engine results. Using this, they are able to get well known search engines to list simple html web pages that contain redirectors leading to scam content. A typical scam page might be a simple page convincing people that they won a new iPhone and with the right search words, malicious links can be listed on the first and second pages of search results. 

How?

It all starts with a simple search. If you put enough keywords into the search box, the result may include simple websites that were created just to be easily indexed and listed by the search engines. For this query below, I searched for online films with subtitles in Romanian. Our data shows a lot of activity on Google and Yandex.

unnamed-3Google search results with fake product reviews

unnamed-1-1Yandex search results

All of the scam websites look similar. The only difference is the targeted brands. The source code of the website clearly shows the effort to make simple webpages as SEO friendly as possible.

unnamed-2-1Well SEO-optimized simple website

The simple design with only text and pictures is not meant for the users' eyes. The purpose of this website is hidden, as always, in the source code.

unnamed-1-2Fake rating

The first glance shows fixed code to create the appearance of positive Google product reviews in rich search results. The static information attached is more noticeable amongst other links in search results (show in second illustration).

The source code also shows an import of heavily obfuscated javascript which takes fingerprints of the user before redirecting them to the scam site. 

unnamed-2-2Import of obfuscated script

Obfuscation of the source code utilizes many cycles of functions, which essentially builds final source code word by word.

 

unnamed-3-1Variable BaatKw loads deobfuscated values during script evaluation

unnamed-3-1The search engines targeted

Redirect

unnamed-4During script evaluation users see a simple loading image

When clicking on the link in the google search results, the user, for a brief moment, sees a simple loading image before the site redirects them to one of the prepared scam websites. For example, one of the sites can be a fake questionnaire, asking you to answer a few questions to get the chance of winning the latest iPhone. Or a simple game where you open presents. We are seeing many newly registered domains whose only purpose is to host the scam content. 

unnamed-5A possible scam site

unnamed-6Scam questionnaire 

Resolved IP address of demoerlayns[.]live hosts more than 5k other suspicious domains.

unnamed-4Whois information of demoerlayns[.]live

If you tried to visit some of those domains, the typical return is blank page with a note.

unnamed-5Main page

But adding the correct parameter, you get scam content.

unnamed-6Susp domain with parameter

unnamed-7Other suspicious domain resolving on same IP address

unnamed-8Hundreds of newly occurred domains on resolved IP

But back to the scam page itself. After answering all of the questions, the website acts as if it is evaluating answers and then, surprise, surprise, you are the winner. To help convince those who are already a bit suspicious of the offers, there are several fake Facebook comments where users comment about their new phones. All of the text on this page is translated to Czech or other languages, depending on where your IP address is, without noticeable grammatical errors.

unnamed-7Fake comments

So you won. Now what? In order to get your prize, all you have to do is click on the provided link set up to convince the user that there is apparently only one left. This click will transfer you to another webpage. 

unnamed-8

Fake page offering prize for a small fee

A simple but nicely designed form comes up with the option to pick the color of your new device. The only thing left to do is fill out your contact information and pay a symbolic price of 2 euros. There are several designs that come up of essentially the same page.

unnamed-9One of the possible payment sites

unnamed-10Payment form

This ends with the user sending your money to the attackers and the user assuming they almost have a free iPhone. Although this is the common scam, there are variants. You can end up with a page asking you to allow push notifications. By allowing those notifications, your browser will start showing you unwanted ads, shown below.

unnamed-11Push notification pop-up 

unnamed-9Unwanted ads in notifications

Another one of these scam variants that attackers have made is a different website promising solutions for those who want to earn big money, continuing on the lines to help people, by having them make a payment in order to receive more.

unnamed-12More scam variants

unnamed-13Other possible category of scam

Conclusion

From what we are seeing in our data, these types of scam campaigns are growing in popularity. In comparison with phishing campaigns, where it is easier to analyze and find these campaigns by the source code, these kinds of scam website campaigns can give attackers not only users credentials, but are often also monetized. A lot of these campaigns use large amounts of targeting before showing this particular content to users. This affords them a better chance to avoid detections by antivirus software. If you’re searching online for something specific and you come across an offer that seems too good to be true, it probably is. Be careful about who you are sharing your financial information with online and don’t fall prey to these types of scams. 

unnamed-10Scam campaign has a global focus (As of June 8th)

As you can see in the illustration, our data shows that the detected campaign has a global impact.

Related articles

--> -->