Google Search SEO Poisoning: New Level for Banking Trojans

Hackers are using SEO poisoning as a novel approach for spreading banking malware and trojans instead of relying on old-school techniques.

The Zeus-Panda group decided to leverage high ranking Google SERP (Search Engine Results Pages) websites to deliver their trojans. By inserting specific online banking and personal finances keywords into new pages or existing pages of hacked websites, attackers bump up questionable pages to the top of Google search results.

For example, if a person is searching for “al rajhi bank working hours in ramadan”, they would see at the top of the search results, pages with compromised content.

google seo poisoning security news

google seo poisoning security news

Security firm Talos Intelligence is responsible for exposing this SEO poisoning attack.

Since the Zeus Panda distribution mechanism is non traditional, utilizing compromised websites to deliver malware instead of traditional methods, it is more effective. Users trust websites that have hight ranking on Google, effectively leading to higher conversion rates to the attackers.

The firm presented some of the keywords targeted by the attackers:

    “nordea sweden bank account number”
    “al rajhi bank working hours during ramadan”
    “how many digits in karur vysya bank account number”
    “free online books for bank clerk exam”
    “how to cancel a cheque commonwealth bank”
    “salary slip format in excel with formula free download”
    “bank of baroda account balance check”
    “bank guarantee format mt760”
    “free online books for bank clerk exam”
    “sbi bank recurring deposit form”
    “axis bank mobile banking download link”

Infection Stages of SEO Poisoning Zeus Panda

When the user clicks a compromised link, a malicious JavaScript will run quietly in the background.

After a series of websites redirects until the last website downloads an infection MS Word Document (follow this link for an earlier post about a similar attack)

Google SEO poisoning in action

Then the user (victim) is prompted to Enable Content and Enable Editing, effectively leading to the execution of of malicious macros. Those macros execute a P32 executable to infect the whole system.

How to Protect yourself against SEO Poisoning delivered malware?

According to security firm Cisco Talos Intelligence:

“The threat landscape is constantly evolving and threat actors are continually looking for new attack vectors to target their victims. Having a sound, layered, defense-in-depth strategy in place will help ensure that organizations can respond to the constantly changing threat landscape. Users, however, must also remain vigilant and think twice before clicking a link, opening an attachment or even blinding trusting the results of a Google search.

From Security News to website owners: Continuously scan your websites for malicious content to protect your visitors and your SEO rankings.


Mohamad El Hout, MBA, M.Eng., CISSP

Mohamad is an entrepreneur and a Senior Security Consultant dealing with the design and delivery of standard and complex security gateway solutions, covering a wide range of cutting edge technologies. His interests include business, technology, leadership, sports, and the continuous pursuit of knowledge.

%d bloggers like this: