Malware’s Changing Tactics SEO POISONING IN 2023 By SEI Sphere Attackers are always iterating. In the early 1990s, firewalls were first built to stop attacks on public-facing servers. Attackers then learned to do port scans to break firewalls. Fast forward to the 2020s and email phishing became the most common cyber-attack vector: “Hey, we can get people to click and do the work for us!” All of that is changing. Lately, malware-focused threat groups that we track are moving away from phishing and towards SEO poisoning. What is SEO Poisoning? We all use a search engine to find things on the internet. Those search results at the top of the list are typically the better or best matches for the search we made, and we click on one. You’re probably aware that many companies pay to appear at the top of those search results. Attackers exploit this practice to covertly get their malicious websites to rise to the top of search results and mislead users into clicks. Once a click is made, there is often a download that comes with it to initiate the malicious process. Why Are Attackers Moving Away From Phishing? It may not be obvious, but a lot of progress has been made in the battle against phishing: employee education, awareness, big bold warnings, simulated testing, and increasing sophistication of detection tools. We need to give credit to the constant vigilance and sharing of the intelligence industry to shine a light on attackers’ ways. A We most often attribute attacker motivation to return on investment. The return on phishing isn’t as good as it used to be. The more the enemy iterates, the more the defense adapts. And slowly, the enemy is funneled into a low or unprofitable attack vector. So, they scrap it and decide to find a new one. Right now, that vector seems to be SEO poisoning. Countering Threats with Intelligence While this tactic is not novel, the volume of activity we are seeing recently is shifting its importance. In a two-day span, our InfoSec identified over 400 new domains related to this attack style and threat groups/malware that we track. We wrote about TA-505, a well-known attack group, in late 2020. At the time, we were tracking them in conjunction with an iteration of their “Get2” attack. They paused activity while building out a new means of attack, specifically changing from an HTML file to an embedded link for their delivery. When it showed up, we thankfully had the intelligence in place to see it right away and adapt our controls. www.coloradobankers.org 24
RkJQdWJsaXNoZXIy ODQxMjUw