Cybercriminals are always looking for ways to exploit vulnerabilities, but now they’ve got a new tactic – search engine optimization.
What does SEO have to do with cyberattacks? Hackers are now using SEO techniques to rank exploited websites before deploying their payloads. Their goal is to get the exploited websites to the top of search results to capture as many victims as possible.
SEO is a legitimate practice being co-opted by criminals
Search engine optimization (SEO) is a legitimate practice that uses various techniques to improve web page ranking in the search engines. Several components include PPC ads, link building, content marketing, and optimizing the technical aspect of a website.
People already use black hat tactics to gain an advantage in the search engines, so it’s no surprise that cybercriminals have found a way to exploit SEO for nefarious purposes.
According to security experts at Sophos, cybercriminals are using SEO to rank websites to deploy a banking Trojan known as Gootkit. This particular Trojan has been targeting banks and other financial websites for more than five years. Now, the criminals behind the Trojan are using black hat SEO tactics to catapult compromised websites to the top of search results.
How the Gootkit Trojan is deployed on compromised websites
A website compromised with the Gootkit Trojan displays what looks like a discussion forum where a user appears to have posted a link to the information a user was searching for. The anchor text matches the user’s search phrase verbatim.
When a user clicks on the link, a .zip file is downloaded to their device. When opened, that .zip file contains a .js file. When a user double clicks on the .js file, the malicious script is run from the computer’s memory, which makes It nearly impossible to get rid of using standard anti-virus software. The .js file then calls to other malicious payloads.
This is bad news for businesses for two reasons. First, it takes time and money to restore a compromised website. However, even if the site is restored the damage will be far-reaching.
Black hat SEO tactics can get an entire domain name blacklisted from Google, regardless of whether the tactics were performed by a hacker. However, business owners don’t have to fall victim to one of these attacks.
How businesses can protect against the Gootkit Trojan
Although hackers have a reputation for being slick and smart, they’re just good at exploiting existing vulnerabilities and/or using stolen credentials to log into a website. That’s why it’s easy to protect against the Gootkit Trojan.
Here’s what you can do to protect your business from falling into this trap.
1. Keep your content management system updated
Chances are, your website runs on a dynamic content management system (CMS) like WordPress. No matter what CMS you use, keep your software updated and install all patches. Outdated software is an invitation for a breach.
The moment you get a notice that an update is available, install the update whether it’s for your core CMS files or a plugin. When a patch is released, have a developer install the patch for you to ensure it’s done properly. Patches are released to fix known vulnerabilities, so it’s critical not to skip the patches.
2. Never share or publish passwords
The strongest password is the weakest link when it’s shared with another person or carelessly sent over the internet unencrypted.
Make sure to create an individual username and password for each user who must access your website. Don’t allow employees to share login credentials. Also, your security policy should prohibit sending passwords in plain text through email, chat, or text message. If a password must be sent over the internet, it needs to be encrypted end-to-end and decrypted by the recipient. It’s also critical to encrypt passwords stored in a database.
3. Get a malware scanning service
Your webhost probably has a malware scanning service. Consider signing up for the service. You might get nothing but green checkmarks for two years, but one day, if your site gets infected you’ll be glad you have the service.
A malware scanning service is the fastest way to find out if your site has been compromised. The sooner you find out, the faster you can isolate the problem and stop it before too much damage is done.
Cybercriminals are getting creative
It’s no surprise that cybercriminals have found a way to exploit SEO for their illegal gains. They get smarter with every passing day. Businesses need to beef up their cybersecurity game. Cybercrime won’t end anytime soon, and there’s no way to predict who will be the next victim.