Cybersecurity researchers have found a new malware that is tricking Google into treating hacked websites as trustworthy sources and presenting innocent users with apparently “perfect matches” to their search queries on the platform.
The hackers are using the malware dubbed as “Gootloader to lure “well-meaning users” into installing the malware on their devices, putting them at ransomware risk, according to the report by Naked Security, which is global cybersecurity firm Sophos’s threat intelligence unit.
The Gootkit malware family has been around for more than half a decade — a mature Trojan with functionality centered around banking credential theft.
However, in recent years, almost as much effort has gone into the improvement of its delivery method as has gone into the malware itself.
This is how the modus operandi works.
The hackers break into hundreds of web servers and implant artificially generated content containing phrases that search engines are likely to associate with expertise in a specific field, like real estate, employment law, import/export regulations, company partnerships, and more.
“From time to time, the crooks get lucky and one or their hacked sites turns up as a top hit on Google, thanks to a specific search term entered by an innocent user,” the report said.
There’s a good chance that the user will click the Google link that shows up, because the search hit looks like a natural result, given that it’s not a paid ad or a sponsored link.
If the user clicks through to the hacked server, the crooks recognize that the click came via a Google search by using the Referer in the web request.
The server deliberately sends out a fraudulent web page that looks like a message board on which someone else recently asked the same thing.
“To make the page look even more convincing, there’s a further reply, apparently from the original questioner, thanking the administrator for their prompt and helpful answer,” the report mentioned.
Google was yet to react to the Sophos report.
SophosLabs encountered Gootloader’s fake message board pages in a variety of different languages, including English, German, French and Korean, with different campaigns targeted at different regions.
“This search poisoning trick works because the website you visit seems to fit your search perfectly, which feels like too much of a coincidence for a crook to have anticipated it in advance,” said the researchers.