Saturday, December 7, 2024
HomeCyber CrimeCybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

Published on

SIEM as a Service

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious e-commerce websites, leveraging multiple SEO malware families to achieve their goal.

Three distinct threat actor groups were identified, each employing a unique malware family, with one group utilizing multiple families. One malware family’s C&C servers shared limited e-commerce site sets, differentiating it from others with independent lists. 

The proliferation of fraudulent e-commerce sites, particularly in Japan, poses a growing threat, as sites designed to deceive and exploit users have seen a significant surge in 2023, leading to increased financial losses and compromised personal information.

- Advertisement - SIEM as a Service

Threat actors deploy SEO malware on compromised websites to manipulate search engine rankings by injecting malicious code into legitimate sites, redirecting unsuspecting users to fraudulent e-commerce platforms for potential financial gain. 

When websites are compromised, these search engine optimization malwares are installed on those websites in order to intercept web server requests and return malicious content. 

By doing so, threat actors can send a crafted sitemap to search engines and index-generated lure pages, which contaminates the search results, making the URLs of compromised websites appear in searches for product names they do not actually handle.

 SEO Poisoning Attack
Entity connections to create a Maltego graph for link analysis

SEO malware exploits search engine rankings by manipulating search results and redirects users to malicious websites, often disguised as legitimate e-commerce sites, through techniques like the Japanese keyword hack.

The study analyzed 227,828 fake e-commerce sites linked to six SEO malware families, collected from 1,242 C&C servers, and to mitigate this blackhat SEO threat, the researchers enhanced their Web Reputation System (WRS) to block these malicious sites. 

Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)

Using Maltego, Trend Micro analyzed the relationships between different threat actors and malware families by identifying four link types to construct a Maltego graph, revealing a potential scenario where three distinct threat actor groups employ unique malware families, while one group leverages multiple malware families.

 SEO Poisoning Attack
Maltego graph within the dataset of the groups (red circles) and subgroups (blue circles).

It revealed that malware variants A, C, D, E, and F operated independently, each managing its own set of fake shopping sites on separate C&C servers, while malware B utilized shared lists of large-scale fake shopping sites across multiple C&C servers. 

E-commerce users should be vigilant against fraudulent shopping sites by scrutinizing URLs for uncommon domains and flagging suspiciously low prices compared to market norms.

Discount marketplaces and niche e-commerce platforms are selling a diverse range of products, including counterfeits of major brands, often bypassing traditional retail channels and leveraging less-known online platforms to reach consumers.

Specialty stores misrepresenting their product range and providing inaccurate company information, potentially engaging in deceptive business practices.

Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.

Varshini
Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...