Spread of Ransomware Through SEO Poisoning

SEO poisoning or search poisoning is a cybercrime strategy that hackers use to lure visitors to malicious sites by using search engine optimization tactics that make the sites appear high in search engine rankings.

The sites are associated with popular keywords that a lot of people search for to maximize traffic to the malicious sites. Since the sites appear high in search results, people assume they’re legit and click on them in high numbers.

SEO poisoning has been on the rise in recent months, with two notable attacks on Menlo Security’s global customer base. Researchers think the first one was to distribute the REvil ransomware sample, while the second one was to drop a backdoor, allowing the hackers to access your computer without your knowledge.


Has your site also been a victim of cybercrime? LIFARS is here to help. With offices in NYC and Europe, we can deploy our team virtually anywhere in the world. For mission critical systems LIFARS implements effective remote cyber incident response by deploying cyber-attack response team to the local enterprise environment. The LIFARS digital forensics process then laterally engages to affected systems and potentially compromised endpoints in the network with high speed and precision


Lately, more of these attacks seem to target consumers instead of organizations. The reasoning behind this appears to be that hackers are looking to capitalize on the recent work-from-home trend resulting from the pandemic, where the line between personal and business devices has become less apparent.

The way cybercriminals are able to lure people onto these websites is by infecting a vulnerable legitimate website and adding popular keywords to its content. Hence, it appears high in search results.

In the cases studied by Menlo Security, the victims were then led to a malicious PDF document, leading to their system becoming infected with the backdoor.

The infected websites came from all over the world, mainly from the US, but also in countries like Iran and Turkey.

SEO poisoning is a very effective tactic, as Vinay Pidathala found that 42% of people who searched for those terms ended up clicking on sites infected with the malicious PDF, resulting in their device becoming infected.

Researchers also found that all compromised websites used WordPress and a plugin called Formidable Forms. The hackers capitalized on a vulnerability in the plugin and used it to upload the PDF onto the website.

They also utilized an old evasion technique by using large-sized payloads. The largest one researchers were able to find was 123 MB. Anti-malware tools usually have a size limit on what they can or can’t analyze, so hackers were able to sneak the large payloads past the security tools.

To avoid these attacks, WordPress site owners are advised to update their version to 5.0.10 or later.



CloudFlare: What is Malicious Payload?