Banking Trojan gang poisons Google results to spread malware: more comment

News by Mark Mayne

Cunning SEO trickery and new variant of Zeus Panda targets international banking customers

Ingenious attackers are using a combination of SEO, poisoned Google rankings, compromised legitimate sites and malicious Word documents to infect users with a banking trojan as reported by SC.

The complex series of steps involves the group first compromising legitimate business sites, before deploying considerable SEO skills in order to get the sites ranking in Google for banking-related phrases. Once a user clicks on the result, a malicious chain of events culminates in a compromised Word document being downloaded, with instructions to enable Macros. Finally, the Zeus Panda bank credential Trojan is installed. Once a system is infected, the malware checks the keyboard mapping, and if it is Russian, Belarusian, Kazak, and Ukrainian then the malware does not fully activate.

David Emm, principal security researcher, Kaspersky Lab, said: “Banking trojans using SEO techniques to force their sites to the top of search rankings is nothing new.  Cyber-criminals have used this ploy for many years, as outlined here. Clearly, Google's efforts to force the use of ‘https' has made this harder, since cyber-criminals now need to implement encryption in order to figure in its search listings.  However, while this might make it more difficult, some criminals are prepared to go the extra mile in order to achieve this.”

The attackers carefully crafted a range of keyword groups, mostly targeting banking or financial-related information, and in some cases specific institutions. Some groups were targeted geographically at financial institutions in India as well as the Middle East, according to Cisco Talos researchers. Some examples of keyword searches being targeted by this campaign were:

   "nordea sweden bank account number"

   "al rajhi bank working hours during ramadan"

   "how many digits in karur vysya bank account number"

   "free online books for bank clerk exam"

   "how to cancel a cheque commonwealth bank"

   "salary slip format in excel with formula free download"

   "bank of baroda account balance check"

   "bank guarantee format mt760"

   "free online books for bank clerk exam"

   "sbi bank recurring deposit form"

   "axis bank mobile banking download link"

Thomas Fischer, global security advocate at Digital Guardian said: “This social engineering tactic does require a lot of effort and planning. For example, the adversary would have to understand what typical search words the intended victims use. The attacker also needs to somehow ensure that the compromised website page ranks in the top search criteria. While it's clearly doable, this requires a good knowledge of how SEO works, which any marketer will tell you is not a simple activity! It's a lot of time and work with no guarantee that your malicious web page will appear as a top site and that the victim will actually click on it.

“The Zeus Panda payload, in its initial steps, checks for the presence of virtualisation or sandboxing in its current running context. If it is running in virtual environment, the payload promptly deletes itself. This is something that is becoming more and more common in these types of payloads. Perhaps organisations should start thinking about this factor when looking to improve defences.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews