Dive Brief:
- Cybercriminals are using simple but enduring techniques for search engine optimization (SEO) to lure individuals to phishing scams and malware downloads, resulting in a sharp increase in attacks, according to a report released today from Netskope.
- The use of search engines to deliver malware produced a 450% increase in phishing downloads during the last year, Netskope found. The company's research is based on anonymous telemetry from a “few million” customers that were using its secure web gateway during the 12-month period ending on March 31, 2022.
- Individuals searching common keywords encountered malicious PDF files containing fake CAPTCHAs that redirected to phishing, spam, scam and malware sites.
Dive Insight:
The increase in phishing downloads was largely driven by SEO tactics that pushed malicious PDF files to top search result rankings on Google and Bing, according to Netskope.
“It’s a technique that’s been around for a long time, but it seems like somebody’s finally figured out the recipe,” said Ray Canzanese, threat research director at Netskope. “We usually don't see changes of that magnitude. Those only come when there's somebody who's really smart and persistent in trying to figure out how to weaponize these.”
Malware and phishing downloads can potentially expose enterprises' most sensitive data. These threats put business activities at risk by luring unsuspecting employees into sharing privileged information that can be used by cybercriminals to gain unauthorized access to critical infrastructure.
All of the malicious PDFs share a similar appearance, which suggests that one group or individual could be responsible for this campaign. Many commonly searched keywords appear on the third or fourth page of the malicious PDFs, according to Netskope.
The tactic isn’t groundbreaking but the volume of malicious files and persistence the threat actor channeled in getting new content in front of prospective victims is a problem, Canzanese said. “We rarely see the same PDF from the same URL more than once.”
Many of the PDFs are stored on free website hosting services and replicated in multiple places in different languages. Netskope didn’t uncover a common theme, but rather a wide-ranging effort that’s indicative of a group or individual brokering for many clients.
The company said it continually reports these discoveries to search engines and hosting sites to get the pages delisted and removed from search results. The prominence of detection on Google and Bing largely reflects Netskope customers’ preferred search engines and not evidence of a campaign exclusively targeting the most popular search engines.
Google is the most-used search engine worldwide, accounting for 92% of search engine traffic, according to data from StatCounter. The next closest search engine, Bing, commands 3% of traffic. Cybersecurity Dive did not hear back from Google and Bing by publication time.