Information drives the global economy today. As a result, many businesses rely on search engine optimization (SEO) techniques to improve their organic rankings on Google Search Results, among others, and ultimately drive customers to their websites.
Some of the most common SEO tactics include cross-linking between different pages on an organization’s website, using metadata tags, and incorporating keyword optimization into web posts.
However, not all SEO activities are honest. A subset known as “blackhat SEO” refers to dishonest techniques employed by sites that want to increase their search engine rankings.
Two of the most popular of these tactics involves using hidden keywords on a page and implementing a method known as “cloaking,” which displays a different page depending on whether a human visitor or a search engine is viewing the website.
Site administrators have different motivations for relying on blackhat SEO techniques. Sometimes, these activities are meant to drive visitors to malicious websites, where the attackers can then prompt users to install unnecessary or corrupted files – such is the case with a recent blackhat SEO campaign spotted by Heimdal Security.
According to a blog post on Heimdal’s site, a group of attackers is using compromised web pages and “dozens of script injections” to unknowingly land visitors onto infected sites and serve them malicious files for download.
The attack begins when users look up a number of popular keywords, including “Java JRE,” “MSN 7,” and “Windows 8.” These keywords account for hundreds of thousands of searches each month. Per this particular blackhat SEO campaign, they also invoke a number of web pages that have been infected with malicious code to spread malware to unsuspecting users.
Some of the compromised pages include the following:
- http://www.mypromediastoreone [.]com/00002954/download.php?id=2954&sid=sb-110&name=Java+Runtime+Environment+Windows+8+64+Bit,
- http://www.mymediasearchnowone [.]com/000000002954/download.php?id=2954&sid=sb-110&name=Java+Runtime+Environment+Windows+8+64+Bit
- http://www.smartmediafinderone [.]com/02954/download.php?id=2954&sid=sb-110&name=Java+Runtime+Environment+Windows+8+64+Bit
A more comprehensive list can be viewed in the image below.
“On these pages, the victim is lured through social engineering techniques to install a Java JRE package,” Heimdal explains in its post. These samples are corrupted with malware.
Heimdal goes on to note that the attackers behind this blackhat SEO campaign are also busy with another attack: directing users to pornographic websites that serve them malicious code.
This attack is completed via the use of the Angler Exploit Kit, an evasive distributor of malware which was recently targeted by Cisco Security researchers in an attempt to reduce the number of ransomware infections on the web today.
Heimdal has contacted Google’s security team with the expectation that it will remove the malicious web pages from its search results soon. In the meantime, users are urged to install an antivirus solution on their computers and to never download software from unreliable sources.
Title image courtesy of ShutterStock