Cybercriminals are exploiting search engine optimization (SEO) to deploy malicious payloads to as many systems as they can, reported ZDNet. The technique is called Gootloader and it utilizes tricks and human psychology to compromise websites.
Website owners use SEO to organically increase their rankings on search engines including Google. However, hackers are taking advantage of this technique to tamper with content management systems (CMS) websites use to deploy malware.
Some of the malware include financial ones, exploit tools and ransomware. Gootloader infects websites by deploying the infection framework for Gootkit Remote Access Trojan (RAT). It injects different types of malware payloads to fully attack the system.
In a way, the attackers deoptimize target websites using content managed through CMS. Some of the most popular CMS options are WordPress, Joomla, and Drupal. Gootloader targets the CMS, which in turn allows them to attack websites.
ZDNet noted that this attack requires a huge network of servers composed of 400 or more servers, which require constant maintenance.
Security researchers noted that no particular exploit used to perform this attack has been discovered. In their assessment, experts theorize that attackers could have hijacked the CMS with the help of malware, unauthorized access, stolen credentials, and brute-force attacks.
Gaining access to the CMS allows attackers to deploy lines of code into the content body. This is basically the written text posted on the website. Then, attacks rely on users to access the webpage containing the compromised content.
The hackers also perform checks to make sure that victims are people of interest. They use IP addresses and location data. Queries used to get to the website and page are also taken into consideration.
When their CMS and website are infected by Gootloader, webmasters are bound to see an increase in traffic and improved search engine rankings. This is because the attack manipulates sites to respond to specific search queries.
According to researchers at Sophos, the attackers make “subtle” changes to the sites to “rewrite how the contents of the website are presented to certain visitors.”
“If the right conditions are met (and there have been no previous visits to the website form the visitor’s IP address), the malicious code running server-side redraws the page to give the visitor the appearance that they have stumbled into a message board or blog comments area in which people are discussing precisely the same topic.”