Threat Management

Attacks using SEO poisoning on the rise, says Menlo Labs

A young man types on an illuminated computer keyboard typically favored by computer coders on Jan. 25, 2021, in Berlin. (Photo by Sean Gallup/Getty Images)

Researchers at Menlo Labs reported seeing high success rates with SEO poisoning, where attackers are able to bypass usual security measures by delivering malware to online users by artificially inflating their malicious pages via search optimization.

While attacks using SEO poisoning is not new, the researchers noted on the Menlo Labs blog that their volume and complexity have increased in recent months as the use of business and personal devices becomes even more blurred as many employees work online from home during the pandemic.

“In these attacks, threat actors turn advances in web browsers and browser capabilities to their advantage to deliver ransomware, steal credentials, and drop malware directly to their targets,” the researchers wrote.

Menlo Security has witnessed at least two active campaigns on its customers: the Gootloader campaign has dropped REvil ransomware, while the SolarMarker campaign added the SolarMarker backdoor.  

At least 2,000 unique search terms have led to malicious sites, which directs users to download a payload via PDF. All of the compromised sites, which included well-known educational and government sites, were WordPress sites and delivered the PDF via the Formidable Forms plugin. 

Menlo Labs said that it appeared that the plugin has since been updated, and they have notified all of the compromised sites about the vulnerability and the PDFs have been removed.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.