Researchers, in collaboration with Japanese institutions, investigated the intricate connections among various SEO malware families by unveiled how cybercriminals employ SEO poisoning techniques to lure unsuspecting users to fraudulent e-commerce websites.
It identified distinct groups of threat actors, each utilizing specific malware families, with one group leveraging multiple families, and also revealed shared infrastructure among certain malware families, suggesting potential collaboration or resource sharing among the threat actors.
This groundbreaking research, recognized with the Best Paper Award at the 2024 IEEE Conference on Dependable and Secure Computing, sheds light on the evolving tactics and strategies employed by cybercriminals to perpetrate online fraud.
Recent reports indicate a surge in fake e-commerce sites targeting Japanese consumers, with a significant increase in reported cases to the JC3, which often employing SEO poisoning techniques aim to deceive victims into providing personal information or financial details.
The rise in such fraudulent activities poses a serious threat to consumer safety and financial security, highlighting the urgent need for robust cybersecurity measures and public awareness campaigns.
Threat actors are exploiting compromised websites to conduct SEO poisoning by installing SEO malware on these sites, which manipulates search engine rankings to promote fake e-commerce sites.
By tricking search engines into displaying lure pages, they redirect unsuspecting users from legitimate search results to malicious websites, which aim to lure victims into fraudulent online shopping activities, potentially leading to financial loss and data compromise.
SEO malware compromises websites to inject malicious content. By manipulating search engine indexing with crafted sitemaps, attackers can rank compromised sites for unrelated keywords, including Japanese product names.
Once redirected, the malware further manipulates browser behavior to redirect users to fraudulent e-commerce sites, known as the Japanese keyword hack, which exploits search engine rankings to deceive users into visiting malicious websites.
The study by Trend Micro analyzed 227,828 fake e-commerce sites linked to six SEO malware families, which were identified through 1,242 command-and-control servers.
It improved their Web Reputation System (WRS) to block these malicious sites and protect users from potential threats, as the primary goal of this was to understand the characteristics of the threat actors involved in these blackhat SEO techniques.
The SEO malware families exhibit distinct communication patterns with their C&C servers, where family A employs a dynamic C&C hostname format with increasing numerical values and potential obfuscation.
Families B and C utilize HTTP POST requests to C&C servers with specific URL patterns, while C also uses a rot13-encoded hex-escaped C&C URL.
Families D, E, and F respond to requests on the /jp2023 endpoint with specific identifiers and potentially retrieved C&C server content. The C&C hostnames for these families follow specific formats, often including a prefix and numerical suffix.
The researchers utilized Maltego to analyze relationships between threat actors and malware families, where the resulting graph revealed distinct patterns: three groups were associated with unique malware families, while one group employed multiple families.
Further investigation into infrastructure suggested that malware families A, C, D, E, and F maintained independent lists of fake shopping sites, whereas malware B shared a list of large-scale sites across C&C servers.
