SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

Voting Header

A new SEO poisoning campaign has been discovered that is targeting keywords associated with the U.S. midterm elections. Users who are enticed to visit these pages will then be redirected to a variety of scam sites, adult sites, and sites pushing unwanted software.

SEO poisoning is when attackers create malicious sites or hack legitimate ones in order to generate pages that promote certain keywords. These pages are then linked together between a large amount of sites under the attacker’s control to get high rankings in search engine results for the promoted keywords. The visitors to these sites are then typically shown scam advertisements or are redirected to other sites pushing unwanted software or infecting users via exploit kits.

In a new report released today, Zscaler explains how attackers have hacked over 10,000 web sites in order to promote 15,000 different keywords. internetnewsblog’s research indicates that the vast majority of sites involved in this poisoning campaign are running Worpdress. It is not known what vulnerabilities are being used to compromise these sites.

As we are leading up to the U.S. midterm elections, the attackers are leveraging U.S. politics keywords in order to entice user’s to visit these sites.

Midterm Election Poisoned Search Results
Midterm Election Poisoned Search Results

The pages belonging to this campaign can be identified by their URL structure.  This structure is [domain]/[random-folder]/[random].php?[random_variable]=. For example, http://[domain].com/odn6zog/yrzhwam.php?kfmeupjmp=rmidterm-elections-2018-polls.

According to Zscaler, these pages will display different content depending on who is visiting the page. When search engine spiders visit the page they will see content that allows the page to poison the search results, while normal users will be redirected through a series of redirects that ultimately lands them at a page pushing scams, adult web site, unwanted browser extensions, or exploit kits.

You can see an example of a fake Java update page that was pushed by this campaign. The program promoted below would install a mining Trojan on the computer.

Fake Java Update
Fake Java Update

SEO poisoning campaign also targeting ransomware keywords

I have been tracking this same SEO poison campaign since the end of September 2018 when I ran into sites pretending to offer free decryptors for ransomware infections.  You can see two search results for this campaign in the Google search results below for the “gandcrab ransomware version 2” phrase.

Poisoned GandCrab search results
Poisoned GandCrab search results

When visiting these sites, instead of finding the help users are looking for they will be sent through a series of redirects that ultimately lands them to the various pages described earlier in this article.

Example keywords that internetnewsblog has seen targeted by this campaign include:

rapid ransomware removal
gandcrab ransomware version 2
gandcrab v3decryption tool
bip file ransomware
Decrypt crypted000007 
Decrypt onion files 
Arena decryptor 
Ransomware recovery 
Ransomware extensions list 
Dharma java ransomware 
Gandcrab decryptor kaspersky 
Disable smb windows 10 ransomware 
Rapid ransomware decryptor 
Rapid ransomware removal tool 
Kaspersky anti ransomware tool for business review 
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top