Surge in Malware Downloads Driven by SEO-Based Techniques 

Attackers are using search engine optimization (SEO) techniques to improve the ranking of malicious PDF files on search engines including Google and Microsoft’s Bing, according to a Netskope report

The findings indicated that cybercriminals are leveraging various social engineering techniques—including SEO—and different Trojan families, including those delivered via PDF, to target victims more effectively.

The report found Trojans accounted for 77% of all cloud and web malware downloads, used to gain an initial foothold and to deliver a variety of next-stage payloads, including backdoors, infostealers and ransomware.

Ray Canzanese, director of Netskope Threat Labs, said the most concerning finding is the malware being spread via major search engine results, adding that phishing downloads are on the rise.

“This is a relatively new and uncommon malware delivery vector that people are less familiar with; therefore, they’re more likely to fall victim to it,” he said. “We do a lot of training around email, text and social media.  But not so much with search engine results. Users might be more likely to have their guard down.”

SEO Targets Users When Their Guard is Down

He said for a phishing attack or scam to be successful, you must be able to reach your victims and, if you reach them somewhere where their guard is down, they might be more likely to fall for the attack.

“This PDF-plus-SEO technique is exactly that—a way in which attackers have demonstrated success in reaching users when their guard is likely down because they are actively seeking out information,” he said. 

Canzanese pointed to two key solutions: First, educate users that this is happening. Users should be extra careful when clicking on PDFs in search engine results.

“If the PDF contains what looks like a CAPTCHA, it is probably a phishing attack or scam,” he said.

Second, put technical controls in place. A web security solution that inspects all web traffic will be able to intercept and block this type of attack. He added that attackers will continue to adapt and find new ways to reach their victims—the rise of the SEO PDF attack is just one example.

“At the same time, we saw a decrease in the number of malicious Office file downloads, as new security controls introduced by both Google and Microsoft made it more difficult for attackers to launch successful attacks using those platforms,” Canzanese explained. 

Nearly half (47%) of malware downloads originated from cloud apps compared to 53% from traditional websites, as attackers continued to use a combination of both cloud and web to target their victims.

Most malware downloads originated from servers located within the same regions as their victims, as attackers stage their malware throughout the world to evade geofences.

Cybercriminals: The Next Big Business

Patrick Harr, CEO at SlashNext, an anti-phishing company, said cybercriminals work much like any traditional corporation, offering employee benefits, taking weekends off and optimizing their productivity to be more successful.

“The most concerning element of this survey is cybercriminals’ improved tactics, in general,” he said. “They are organized and use all the latest technology to be more successful, including SEO, trusted services, machine learning and automation tools.”

He explained that optimizing search engines to improve results using SEO is a key component of improving the visibility of a product or service, and for a cybercriminal, their product is phishing, malware or rogue software.

“It’s no surprise this is happening. For this to be successful, the malicious URLs need to be obfuscated so the search engines cannot see they’re malicious,” Harr said. “This is why we have seen a large increase in the use of trusted cloud services to hide malicious URLs.”

Broken Trust

He explained that security technology that uses domain reputation URL rewriting and trust graphs will not be able to detect these types of malicious URLs that are hiding on trusted services.

Harr said SlashNext has seen a 200% increase in trusted domains used to deliver malicious attacks because these tactics have been very successful for cybercriminals; most security technology has not caught up to these types of attacks.

He added the use of AI-powered security services that use computer vision and real-time scanning will find these types of techniques and using these security services in the browser will help keep an organization’s employees safe.

Savio Lau, staff security intelligence researcher at Lookout, a security service edge (SSE) provider, said the most concerning finding is the use of SEO to target victims.

“Most people trust the results given by search engines, so they don’t pay as much attention to comparing the links they receive from other means,” he said. “This also explains why attackers are turning to SEO techniques to improve their effectiveness.”

This exemplifies how attackers use trusted sources or data points against victims to increase the effectiveness of their malicious campaigns.

“Security teams need to be vigilant about the latest attack trends and remove the attack surface, such as having a security solution to detect these attacks and limit the file types allowed,” he added. “It is also important to educate users about the dangers of online materials—even if the results are from a search engine. Even as attack techniques change, educated users are still less likely to fall victim to attacks.”

He added that one particularly interesting data point is the success of changes made in Microsoft Office that were put in place to limit attacks that leveraged malicious Office documents. After these changes, cyberattackers shifted their approach to use other available methods, he said.

“We have already seen attackers change their tactics and shift to using PDFs as part of these attacks rather than Word documents or spreadsheets,” Lau said. “Both attackers and defenders continue to adapt their tactics as security improves and new vulnerabilities and tactics are discovered.” 

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 288 posts and counting.See all posts by nathan-eddy