According to Talos Intelligence, a banking trojan recently targeted people trying to bank online in India called the Zeus Panda banking Trojan. You can read on their blog all about the attack vector and how it works.

I’m a sucker for security blogs but this one in particular caught my attention as their article stated “the threat actors decided to take advantage of this behavior by using Search Engine Optimization (SEO) to make their malicious links more prevalent in the search results”.

Were hackers using SEO (finally)?

Yes and no.

In their article they pointed out that compromised / infected websites used to distribute the Trojan’s payload ranked for terms such as:

  • “nordea sweden bank account number”
  • “al rajhi bank working hours during ramadan”
  • “how many digits in karur vysya bank account number”
  • “free online books for bank clerk exam”
  • “how to cancel a cheque commonwealth bank”
  • “salary slip format in excel with formula free download”
  • “bank of baroda account balance check”
  • “bank guarantee format mt760”
  • “free online books for bank clerk exam”
  • “sbi bank recurring deposit form”
  • “axis bank mobile banking download link”

Indeed, these are questions people were searching Google for. However, nothing special was done to rank these infected pages. The content had never been written. All the attackers had to do was find a vulnerable website and create the page. They were not doing anything to manipulate Google search results.

I would call it “content marketing” instead of SEO. But then again it sort of is SEO as they are gaining visibility to a website via Google Search Results. So, call it whatever you’d like, but there is usually a lot more involved in ranking a page (if it has any level of competition).

In a nutshell, they were using the horsepower of vulnerable sites to get their infected pages to display on page of Google.

Just months ago, attackers obtained access to millions of WordPress sites. They simply added notes such as “Hacked By MuhmadEmad”. But attackers could easily pull off a significantly larger Trojan outbreak if they exploited vulnerable WordPress websites (most of these sites are not patched or removed from search results).

November 16, 2017: Google is still showing infected websites

I decided to do a few searches myself and quickly located an infected website by searching for “al rajhi bank working hours in ramadan”:

I could instantly tell this site was infected, so I didn’t click it but instead went to Securi Site Scanner to scan it.

Securi knew the site was harmful and also detected that the site was blacklisted amongst many antivirus scanners:

So why hasn’t Google blocked it yet?

Does Google protect users from this?

Yes. Eventually. Once Google picks up an infected site, it can display a warning to users like this:

Here is what a hacked site looks like in Google Search Results.

Depending on the level of infection, the site will eventually be removed from Google search results, and the webmaster will be notified via Google Search Console (if they use it).

Will Google get faster at removing hacked sites?

Maybe at some point in the future Google will become faster at removing sites from search results which are infected. To date, most “outbreaks” have been relatively harmless, however, as seen in this example, the attack was documented 4 days ago and compromised sites are STILL in search results possibly infecting people’s machines while their banking information is being stolen.


Leave a Reply