Inside SolarMarker: Quantifying the threat of SEO poisoning
November 2021 by Brett Raybould, Menlo Security
Browsing the web via search engines has become second nature. Statistics show that 84% of us use Google more than three times a day, with the search engine processing as many as 5.6 billion daily searches. That’s 63,000 search queries every second.
We’re highly reliant on search engines and companies know it. It’s why search engine optimisation (SEO) – a technique used to improve the positioning of web pages in organic search results – is such an important part of modern marketing toolkits.
Through SEO, companies are able to rank higher for relevant searches, allowing them to drive greater visibility among prospects and customers through greater website traffic. Yet there is a darker side of this sphere that is less often spoken about.
SEO poisoning is a relatively unknown component of the threat actor arsenal. These types of highly evasive attacks have been seen before, but the velocity, volume, and complexity of this new wave has increased in recent months. In the same way that companies aim to drive greater numbers of users to their webpages, cybercriminals are striving for this very same goal, albeit with a different motive.
By falsely improving a search engine ranking by injecting keywords, they are able to bump their malicious webpages closer to the top of the list of search results, catching out unsuspecting victims.
Given the fact that three in every four people never scroll past the first page of results, under the assumption that those websites appearing towards the top are both credible and most relevant to their search, this technique is particularly dangerous, with high proportions of browser users simply unaware of SEO poisoning altogether.
For threat actors, it provides a major opportunity, the size of which we’ve witnessed first-hand at Menlo Security by monitoring the Gootloader and SolarMarker SEO poisoning campaigns across our global customer base. Uncovering the affected websites
In our monitoring efforts we found that more than 2,000 unique search terms listed malicious websites in the search results.
Many of these were highly niche, such as ‘Sports Mental Toughness
Questionnaire’ and ‘industrial-hygiene-walk-through-survey-checklist’, showing the likelihood of unsuspecting victims falling into the trap.
Clicking through these links presented the users with malicious PDFs with the option to download. Should they have then accepted this prompt, they would have experienced several HTTP redirections before finally downloading a malicious payload to the endpoint.
Those with an acute knowledge of sandboxes and content inspection engines would have been able to recognise the malicious nature of these payloads owing to the size of the files downloaded. In tracking SolarMarker, we saw files ranging from 70-123 MB in size downloaded that all exceeded typical file size limits.
Threat actors’ untargeted, wide-ranging approach
Of these 2,000-plus websites that were hosting malicious PDFs, 100% were built using opensource content management platform WordPress. We discovered that threat actors had been exploiting the Formidable Forms plug-in that allows site managers to create website forms via the /wp-content/uploads/formidable/ directory.
The plug-in has since issued a security update, as it reflected in its changelog, but it is unclear as to whether this addressed the problem associated with the initial vector in the SolarMarker campaign.
Further analysis also showed that there was not any single type of website, market or sector targeted. While several well-respected education and government sites were revealed to be hosting malicious PDFs, the majority of threat actors’ attentions were focused on directing victims to fake business websites, of which there were more than 1,000. In addition, there were fake websites spanning the shopping, job search, travel, health and medicine sectors, among many others.
This lack of targeting is equally reflected in the variety of industry verticals affected, with those clicking the malicious links having come from the likes of automotive, energy and manufacturing to media, housing and telecommunications.
Adopting an improved security strategy
As is demonstrated by both Gootloader and SolarMarker, SEO poisoning is a growing problem.
Threat actors have recognised the growing importance and use of the browser as remote and hybrid business models have become consolidated during the pandemic and post-pandemic period, and are adjusting their tactics to capitalise.
As a result, organisations need to respond. And in many cases, they recognise the need to.
Indeed, a survey from Menlo Security shows that 75% believe remote workers accessing applications on unmanaged devices are a threat, while 53% plan to reduce or limit third-party access to systems and resources over the next 12 to 18 months.
However, recognition alone is not enough. Greater action is needed in updating security strategies to allow companies to continually operating effectively in the face of modern threats.
Given the current context of threat actors adopting new methods in an attempt to exploit new vulnerabilities, companies should consider instating zero trust principles and the key solutions to support it, such as isolation technology.