A new SEO poisoning campaign has been discovered that is targeting keywords associated with the U.S. midterm elections. Users who are enticed to visit these pages will then be redirected to a variety of scam sites, adult sites, and sites pushing unwanted software.
SEO poisoning is when attackers create malicious sites or hack legitimate ones in order to generate pages that promote certain keywords. These pages are then linked together between a large amount of sites under the attacker’s control to get high rankings in search engine results for the promoted keywords. The visitors to these sites are then typically shown scam advertisements or are redirected to other sites pushing unwanted software or infecting users via exploit kits.
In a new report released today, Zscaler explains how attackers have hacked over 10,000 web sites in order to promote 15,000 different keywords. internetnewsblog’s research indicates that the vast majority of sites involved in this poisoning campaign are running Worpdress. It is not known what vulnerabilities are being used to compromise these sites.
As we are leading up to the U.S. midterm elections, the attackers are leveraging U.S. politics keywords in order to entice user’s to visit these sites.
The pages belonging to this campaign can be identified by their URL structure. This structure is [domain]/[random-folder]/[random].php?[random_variable]=. For example, http://[domain].com/odn6zog/yrzhwam.php?kfmeupjmp=rmidterm-elections-2018-polls.
According to Zscaler, these pages will display different content depending on who is visiting the page. When search engine spiders visit the page they will see content that allows the page to poison the search results, while normal users will be redirected through a series of redirects that ultimately lands them at a page pushing scams, adult web site, unwanted browser extensions, or exploit kits.
You can see an example of a fake Java update page that was pushed by this campaign. The program promoted below would install a mining Trojan on the computer.
SEO poisoning campaign also targeting ransomware keywords
I have been tracking this same SEO poison campaign since the end of September 2018 when I ran into sites pretending to offer free decryptors for ransomware infections. You can see two search results for this campaign in the Google search results below for the “gandcrab ransomware version 2” phrase.
When visiting these sites, instead of finding the help users are looking for they will be sent through a series of redirects that ultimately lands them to the various pages described earlier in this article.
Example keywords that internetnewsblog has seen targeted by this campaign include:
rapid ransomware removal gandcrab ransomware version 2 gandcrab v3decryption tool bip file ransomware Decrypt crypted000007 Decrypt onion files Arena decryptor Ransomware recovery Ransomware extensions list Dharma java ransomware Gandcrab decryptor kaspersky Disable smb windows 10 ransomware Rapid ransomware decryptor Rapid ransomware removal tool Kaspersky anti ransomware tool for business review