Users inadvertently fall into fraudulent or unreliable sites
Experts in digital forensics report the emergence of a search engine optimization (SEO) pollution campaign directed against the keywords associated with the midterm elections in the United States. Users who are allured to visiting these pages will be redirected to a variety of fraudulent sites, adult content sites, and sites that promote undesirable software.
SEO pollution occurs when attackers create malicious sites or hack legitimate sites to generate pages that promote certain keywords. These pages are then linked to a large number of sites under the attacker’s control to obtain high ratings in the search engine results for the promoted keywords. Visitors to these sites encounter fraudulent ads or are redirected to other sites that promote unwanted software or infect users via exploit kits.
In a report published by a cyber security and digital forensics firm, it reports how attackers have hacked more than 10k websites to promote 15k different keywords. This research indicates that the vast majority of the sites involved in this pollution campaign are running WordPress, although it is unknown what vulnerabilities are being exploited to compromise these sites.
As midterm elections in the United States approach, hackers try to take advantage of the topic-related keywords to lure users into their malicious sites.
According to the researchers, these pages will show different content depending on who is visiting the page. When the search engine spider visits the page, it will find content that will allow the page to poison the search results, while normal users will be redirected through a series of redirects that eventually take them to a page of scams, adult websites, unwanted browser extensions, or exploit kits.
Here is an example of a fake Java update page that was driven by this campaign. The program promoted below would install a mining Trojan on the affected user’s computer:
The campaign also aims to search results for ransomware related keywords
Specialists report that they found this campaign after discovering various sites announcing tools to supposedly eliminate the encryption of files infected with ransomware for free.
Some examples of the keywords poisoned in this campaign are:
- rapid ransomware removal
- Decrypt crypted000007
- Ransomware recovery
- Ransomware extensions list
According to reports of experts in digital forensics from the International Institute of Cyber Security, the URLs of the sites associated with this type of campaign can be identifiable, since they keep a structure similar to [domain name]/[random content]/[ Random]. php? [random_]=[keyword]