Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious e-commerce websites, leveraging multiple SEO malware families to achieve their goal.

Three distinct threat actor groups were identified, each employing a unique malware family, with one group utilizing multiple families. One malware family’s C&C servers shared limited e-commerce site sets, differentiating it from others with independent lists. 

The proliferation of fraudulent e-commerce sites, particularly in Japan, poses a growing threat, as sites designed to deceive and exploit users have seen a significant surge in 2023, leading to increased financial losses and compromised personal information.

Threat actors deploy SEO malware on compromised websites to manipulate search engine rankings by injecting malicious code into legitimate sites, redirecting unsuspecting users to fraudulent e-commerce platforms for potential financial gain. 

When websites are compromised, these search engine optimization malwares are installed on those websites in order to intercept web server requests and return malicious content. 

By doing so, threat actors can send a crafted sitemap to search engines and index-generated lure pages, which contaminates the search results, making the URLs of compromised websites appear in searches for product names they do not actually handle.

SEO malware exploits search engine rankings by manipulating search results and redirects users to malicious websites, often disguised as legitimate e-commerce sites, through techniques like the Japanese keyword hack.

The study analyzed 227,828 fake e-commerce sites linked to six SEO malware families, collected from 1,242 C&C servers, and to mitigate this blackhat SEO threat, the researchers enhanced their Web Reputation System (WRS) to block these malicious sites. 

Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)

Using Maltego, Trend Micro analyzed the relationships between different threat actors and malware families by identifying four link types to construct a Maltego graph, revealing a potential scenario where three distinct threat actor groups employ unique malware families, while one group leverages multiple malware families.

It revealed that malware variants A, C, D, E, and F operated independently, each managing its own set of fake shopping sites on separate C&C servers, while malware B utilized shared lists of large-scale fake shopping sites across multiple C&C servers. 

E-commerce users should be vigilant against fraudulent shopping sites by scrutinizing URLs for uncommon domains and flagging suspiciously low prices compared to market norms.

Discount marketplaces and niche e-commerce platforms are selling a diverse range of products, including counterfeits of major brands, often bypassing traditional retail channels and leveraging less-known online platforms to reach consumers.

Specialty stores misrepresenting their product range and providing inaccurate company information, potentially engaging in deceptive business practices.

Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.