Search Attack Leads to Compromised Sites

Thursday, August 4, 2016 @ 04:08 PM gHale


There is an attack going after Google search featured pieces to show links to compromised websites that can redirect users to online scams or even exploit kits spreading ransomware.

The campaign relies on attackers identifying websites listed in “featured snippets,” a Google feature that shows answers to common user questions, said researchers at Malwarebytes.

RELATED STORIES
Linux Kernel Defenses added to Nougat
Android FDE Vulnerability Patched
Google makes 108 Fixes for Android
Android Keyboard App Collects Info

Most of links lead to safe websites such as Wikipedia, but in some cases, they are also on personal blogs or news sites.

In an active campaign detected by Jerome Segura of Malwarebytes, attackers were redirecting users from a featured snippet for a Hungarian site to an online store where they were selling product keys for Microsoft Office.

If the user felt something was wrong when they clicked on a domain and ended up on another, by accessing the Hungarian site, they would actually end up redirected to a page hosting the Neutrino exploit kit, which in turn would infect them with the CryptMIC ransomware.

Hackers were able to trick Google’s search engine to classify the original website, a sports-related portal, as the best answer for an Office-related question, meaning Google has two problems instead of one.

Gaming SEO results isn’t something new by any means, but you’d expect this to happen with regular search results, not featured snippets.