There has been a notable increase in search engine poisoning for distributing malware. Search engine poisoning is the term given to the manipulation of search engine results to display links to malicious websites. These websites can be used to phish for sensitive information, but this technique is most commonly used for distributing malware.
Search engine poisoning can be achieved in different ways. One of the ways search engine poisoning is used to target businesses is to create a webpage and use search engine optimization techniques to target specific search queries. It can take a lot of time an effort to get webpages appearing in the organic search results for key search terms, but since the queries typically targeted have little competition, it is quite easy to get pages appearing high up in the organic search engine listings. Attackers typically target low volume business search queries, such as searches for contract templates, forms, and agreements. Since the person performing the search is looking to download the content, they can easily be tricked into downloading a malicious file. Oftentimes the user will get the file they are looking for but will silently install malware when the file is opened.
Google is well aware that the higher up a webpage is in the search results, the more likely it will be visited. The prime spots are at the very top of the search engine results, and that area is reserved for sponsored links. Getting a malicious site in these links will maximize the traffic to a website, and advertisers compete for these advertising slots through the Google Ads online advertising platform. Advertisers can bid for these slots for key search terms that they want to target.
Google Ads are increasingly being used by malicious actors as an alternative method of search engine poisoning, and they achieve the greatest success when they target popular software downloads. An attacker will create a website advertising a popular software solution, often cloning the website of a legitimate brand. They will offer a download of that software on the site but will alter the installation file so that in addition to installing the software, malicious code will be executed silently which will install malware.
The domain names used closely mirror those used by the legitimate brand, and typically include the brand name with additional characters or words to make it appear that the domain is official. The file downloads are usually signed with invalid certificates, and while invalid, have been issued to recognizable brands. If the warning signs are ignored and the installation file is executed, malware will be installed.
The key to defending against these attacks is to prevent these malicious files from being downloaded, and ideally, prevent users from visiting the malicious websites. The early stages of the attack can be blocked with an ad blocker or web filter. A web filter can be configured to prevent a user from visiting the malicious website, whereas an ad blocker will only block the adverts and will not block search engine poisoning in the organic listings. A web filter can also be configured to block downloads of certain file types, such as executable files. In addition to blocking search engine poisoning, preventing downloads of executable files will help IT teams to control shadow IT – unauthorized software installations.
These methods of malware distribution should also be covered in security awareness training. Businesses should teach their employees security best practices and make them aware of risks such as phishing and email-based attacks, and search engine poisoning and other web-based attacks. Security awareness training adds an important layer of protection and helps to improve human defenses, which is vital as the majority of cyberattacks are the result of human error.
TitanHQ can help improve security through its portfolio of cybersecurity solutions which include SpamTitan Email Security, WebTitan Web Filtering, and the SafeTitan Security Awareness Training and Phishing Simulation platform. For more information, to arrange a product demonstration, or to register for a free trial with full product support, give the TitanHQ team a call today.