Seemingly innocent searches can tempt you with malware-infested links.
Getting infected with malware isn’t just clicking on an errant file, but it usually occurs because an entire ecosystem is created by attackers to fool you into actually doing the click. This is the very technique behind something called SEO poisoning, in which seemingly innocent searches can tempt you with malware-infested links.
The malware chain begins by an attacker generating loads of fake web content that are intended to “borrow” or piggyback on the reputation of a legitimate website. The fakes contain the malware and manage to get search results to appear higher on internet search engines by using pairs of attackers: One poses the question on a forum, while the other “answers” with a link that contains the malware.
This way, the attackers can lure victims who are more likely to see and trust search results with a higher ranking. These conversations poison the online internet forums with various links that point to a ZIP file archive. The archive contains the initial stage of the malware. Later stages collect data on your IP address and other user information, and screens your endpoint to ensure that it is running Windows and meet other target criteria.
One such poisoning attack has been recently seen involving the malware GootLoader. This is a multi-staged JavaScript malware package that has been in the wild since late 2020. CISA named GootLoader a top malware strain of 2021. Earlier this year, it targeted users searching for plea agreements, but lately, the threat actors are targeting users who are about to be laid off and searching for transition services and other employment-related documents.
Researchers have attributed the malware to a group they call TAC-011 that has been in operation for several years and compromised hundreds of legitimate WordPress websites.
How to fight back against SEO poisoning attacks
There are several proactive measures you can take to fight these sorts of attacks. First off, pay attention to what you are viewing in the search results page. While the poisoned link appears legitimate, it doesn’t usually survive closer inspection. For example, the transition documents cited above were included in a sports streaming website — that's how these results get their Google boost and show up higher in the SEO rankings. Being aware of what you are about to click on is always good advice.
Second, you should also pay attention to any included links on a search page and match up what the text says with the specific URL. Next, use Windows Group Policies to prevent malicious file types (GootLoader uses JavaScript files) from automatically running. Researchers are keeping track of GootLoader phony websites and new tactics.
Finally, any HR-related documents should be available on internal servers and should make this situation — as well as how to request the appropriate document — clear to employees.