There are various ways hackers exploit websites. One of the methods is to utilize search engine optimization (SEO) methods and skills to deploy tons of malware to as many victims as possible.
Sophos, reported that the “deoptimization” through SEO includes a few SEO tricks and the abuse of human psychology to push websites that may have been compromised and taken up Google’s ranking.
SEO can be used by webmasters to properly increase the exposure of their website on search engines like Google, Bing, Ask, etc.
However, it has become clear some webmasters tweak their Content Management System (CMS) to serve some form of financial malware, exploits, and even ransomware.
In a blog post on Monday, the cybersecurity team said the technique, dubbed “Gootloader,” involves deployment of the infection framework for the Gootkit Remote Access Trojan (RAT)
This malware is one that also delivers a variety of other malware payloads.
So the way hackers exploit websites is the use of SEO as a technique to deploy Gootkit RAT is not a small operation.
The researchers estimate that a network of servers — 400, if not more — must be maintained at any given time for success.
An example of how a user can be infected is a fake forum post that will then be displayed containing an apparent answer to the query, as well as a direct download link.
In one example discussed by the Sophos team, the website of a legitimate neonatal clinic was compromised to show fake answers to questions relating to real estate.
Victims who click on the direct download links will receive a .zip archive file, named in relation to the search term, that contains a .js file.
The .js file executes, runs in memory, and obfuscated code is then decrypted to call other payloads.
According to Sophos, the technique is being used to spread the Gootkit banking Trojan, Kronos, Cobalt Strike, and REvil ransomware, among other malware variants, in South Korea, Germany, France, and the United States.
“At several points, it’s possible that Hackers exploit websites using these techniques and end-users can avoid the infection if they recognize the signs,” the researchers say. “The problem is that, even trained people can easily be fooled by the chain of social engineering tricks Gootloader’s creators use. Script blockers like NoScript for Firefox could help a cautious web surfer remain safe by preventing the initial replacement of the hacked web page to happen, but not everyone uses those tools.”