top of page
Dec 29, 20223 min read

Are Hackers Hijacking Your Google Searches?



Growing up with Google we have been hardwired to believe top searches = best results, and the bad guys know it.


Happy Thursday nerds, it's a great day to talk about cyber crime! As our digital environments grow so do our attack surfaces, meaning the more places bad guys have to do evil stuff. The only way to really protect yourself is keeping your ear to the ground on what evil is up to and how to protect against it. Today we are going to talk about SEO poisoning and Google Ad hijacking, emerging attack methods that threat actors are using to get into your Google searches.





What exactly is SEO poisoning?

To understand SEO poisoning we must first understand what SEO is. SEO stands for Search Engine Optimization and in it's most simple form is a way for Google (or any search engine) to connect users keywords to a website that contains those keywords. Search engines can't see images, or really understand context but what they can do it pair keywords. Have you ever typed "whatever recipe" into google and all of the top generated searches give a full blown biography prior to getting the 6 steps you needed to make those "so simple cookies"? That's SEO at work and though may be annoying, is not particularly malicious.






SEO Poisoning however, is a method used by threat actors who lure victims to a fake web page. Once on the fake page the user is prompted to download something, provide information, or both. The bad guys create a spoofed (similar or almost identical to legit page) website and leverage keywords to manipulate the search engine into displaying their page in the top ranking and that "oh so simple cookie" recipe now comes with a "download" button primed with some not so sweet malware. A similar method that has been gaining popularity and being leveraged with SEO poisoning is Google Ad abuse. Unfortunately due to some odd policies in Google Ad setup an evil user can get their link to the top of the search results and also manipulate their Ad during setup display legitimate URLs even thought the link will redirect the user to spoofed site.



 

Real Time Example

Here is a campaign that is actually going on right now (as of Dec29 2022 that is)...

In tandem with the core of SEO poisoning threat actors have developed a full blown malvertising (get it...malware advertising?) campaign being called MasquerAds via Google Ads targeting users searching for popular software. Think about it, when you are going to look for software how often do you type in w...w...w...(dot) software name.../download....so on and so on?


Typically we just type the name of the software, or something close to it into Google and let the search engine whisk us away to the software download page. Well the bad guys know this and are using it to their advantage creating fake sites to mimic legit brands and software. In this campaign AnyDesk, Dashlane, Grammarly, Malwarebytes, Microsoft Visual Studio, MSI Afterburner, Slack, Zoom and a handful of others have been seen impersonated. Notice any household names? I sure do! The attack vector path looks something like this...



User Googles "Zoom download"

Top result Ad pops a benign site that looks like the real thing.

User trust leads them to click on link.

User is redirected to malicious site.

Legit looking spoofed Zoom page displays download button.

User downloads the ick, unaware they are on a malicious site.


no good..





Search Safely

So are we doomed? Should we throw search engines in the garbage? Run away and live in the woods? Not so fast, there are a few ways you can make your search engine interaction safer.

  1. First off, rewire your brain, top search result trust is dead.

  2. Don't follow Ads...there is too much room for manipulation so I would say no Ad links, ever.

  3. Know the legit URL you are looking for and when possible just go directly to that URL instead of a search engine.

  4. Slow down, when we rush we tend to look over the little things. If you slow down and pay attention to the site url you may be able to catch the criminals fingerprint. targt.com and target.com look similar when you're moving too fast to notice.

So what do you think about your search engine hygiene? Do you practice safe searching? Think you may start? What are some other ways we can strengthen our day to day security?

I'd love to hear your thoughts in the comments!





Sources,










Comments

bottom of page