How to protect your organization against SEO poisoning and malvertising

Alongside traditional approaches like software vulnerabilities and misconfigurations in applications, hackers are constantly looking for new ways to get into devices and corporate networks. Two of the biggest growing threats are Search Engine Optimization (SEO) poisoning and Malvertising.

SEO Poisoning is where hackers lure victims to legitimate websites by populating them with content on topics of interest to potential victims. For example, Gootloader, an Initial-Access-as-a-Service operation, targets law professionals because they handle sensitive business data that can be extremely valuable. Hackers use Gootloader to get a foothold into an organization’s IT environment and then spread laterally through the entity’s IT network to implant ransomware or exfiltrate data.

By using Search Engine Optimization (SEO) poisoning to lure unsuspecting victims to an enormous array of compromised WordPress blogs, Gootloader tailors its victim pool to a subset of organizations most likely to pay a handsome ransom. Gootloader infects legal employees and other professionals by luring them to blogs, which are populated with content pertaining to “legal agreements” and “contracts”. When the employee visits the blog and downloads what appears to be a sample “legal agreement” or “contract,” they are actually downloading Gootloader.

Malvertising is digital advertising designed to appear legitimate but is actually malicious. These bogus ads promote popular technology packages such as Zoom, TeamViewer, or AnyDesk, or popular trending tech like ChatGPT. Searches for these software products lead to malicious Google ad placements located alongside legitimate results. If the users click on the wrong link, they are taken to what appears to be a legitimate landing page for the software. Upon downloading an attempting to install the alleged the software, users are actually downloading and executing malware — often Batloader, Nitrogen, or infostealers.

According to The Media Trust, more than three billion malicious ads were blocked in the past year. One of the most prevalent cybercrime operations utilizing malvertising is BatLoader. BatLoader, like Gootloader, is an Initial-Access-as-a-Service operation. BatLoader is a malware dropper and is known to infect victims with malware or malicious tools such as ISFB, SystemBC Remote Access Trojan (RAT), Redline Stealer, and Vidar Stealer. Once the BatLoader operators have successfully gotten a foothold into the victims’ IT network, they turn around and sell that access to other threat actors.

How to protect one’s organization from SEO poisoning and Malvertising attacks

Organizations need to ensure there is a company-wide focus on continuous Security Training. Many security teams will invest resources in educating staff but those sessions will take place once a year, while a third of companies provide no security training at all (according to Hornet Security). Further, most Security Awareness Training (SAT) is focused on identifying malicious email attachments — not browser-based attacks. Helping staff to recognize malvertising and hijacked websites can help prevent these types of cyberattacks from taking place.

To achieve this, include relevant examples within your SAT program, so that staff are aware of potential risks when they are browsing or searching for files. Also teaching employees to inspect the full URL before downloading files is important. If the site does not match the source — for example, Microsoft Teams should come from a Microsoft domain — users should stop and assess. Similarly, users should always inspect file extensions rather than trusting the filetype logo.

From a security perspective, industry best practices like running Endpoint Detection and Response (EDR) will help if someone downloads a suspicious file or accidentally visits a hacked site. By detecting and containing threats before they spread laterally, you can help ensure a breach has minimal impact. Alongside this, using Windows Attack Surface Reduction rules to block JavaScript and VBScript from launching downloaded content can also help prevent attacks from succeeding.

You should also ensure that you have a robust process for reporting potential security incidents. Employees should feel confident in reporting those issues without fearing immediate repercussions for mistakes. If they trust that they will be taken seriously and not chastised for their mistakes, they are more likely to flag problems before they become breaches.

Alongside these approaches, look at the reasons why staff are searching for free sample software applications in the first place. Do they have all the tools that they need to work with, or are they missing software? Do they know who to ask for a new service or application, and how to get it installed? Making it easier to get the software that your users need, with an internal portal or self-service approach, can help curb the practice of searching for free software applications that might be targeted.

Educating staff on the signs to look out for will reduce risk, while backing this training up with 24/7, real-time threat detection and response will certainly go a long way in stopping potential breaches.

Image credit: Andreus/

Keegan Keplinger is Senior Threat Researcher and Distinguished Security Professional, eSentire.

Recommended For You