Approximately 144,000 malicious packages were uploaded to the NuGet, PyPI, and NPM package repositories in a recent incident. There are links to scam websites contained in these packages. The aim of these packages was to manipulate search engine results and promote the ranking of threat actors’ scam pages by creating links to trusted websites.
There are available sponsorship opportunities.
We will explore the threat, analyze intent, and give guidance on how to protect your organization from similar attacks in this post.
What is it about the internet that makes it so poisonous?
Search engine poisoning, also known as “malicious search results,” is a technique used to inject spammy or malicious content into the search results of a search engine. One way to do this is to create back links from legitimate websites to malicious websites.
Links from one website to another are called backlinks. A lot of back links from other websites can help improve a website’s ranking in search engines. The popularity and relevance of the website is what search engines view as a sign of the website’s back links.
A malicious actor can trick search engines into thinking that a malicious website is more popular than it really is. This can cause the malicious website to rank higher in the search results, and possibly trick users into visiting it.
There are a lot of different tactics that hackers use.
Here are some examples.
There is an attempt to improve a website’s ranking in search results. A hacker can create a page filled with irrelevant or repetitive words in an attempt to rank higher for those words.
Hidden text or links are links that are hidden from the user, but visible to search engines. This technique can be used to try to manipulate search engine rankings.
Showing different content to search engines and users is called cloaking. cloaking can be used to trick search engines into ranking their sites higher or to direct users to malicious sites.
Emails that contain links to malicious sites and encourage users to download malicious software are known as “smug emails”.
Social media posts can be used to spread links to malicious sites or to trick users into clicking on links. Bolster will protect your social media.
Malvertising is when an ad is used to spread malicious links or to direct users to malicious sites. Malvertising can be used to try to steal information from users.
There have been a lot of real-life poisoning attacks. Users who searched for terms related to the Japanese earthquake and tsunami were diverted to malicious websites. Users who searched for terms related to the Boston Marathon bombings were diverted to malicious websites. Users who searched for terms related to the Ebola virus were directed to malicious websites.
What is the end goal of the poisoning?
The threat actor used NuGet packages with links and words to target brands in the description file of the malicious package. Threat actors posted over 136k malicious packages. The intent of the campaign was to rank their websites higher in search results when someone searches for gift cards or hacks for games.
For example, if a user searches for hacks/cheat methods for their favorite video games, or if they search for followers on social media. The threat actor-controlled websites would be shown at the top of the search results because of search poisoning.
There are pages that target various brands.
Here is an example of what the process might look like.
Users are asked to enter their usernames to claim gift card or game points.
A fake processing message or other technical jumbo mumbo appears to show that something is happening
They asked you to complete a survey after some wait. It was necessary to install a browser and complete a survey for a Walmart gift card. Threat actors are driving traffic to survey websites and earning a commission on each completed task.
In hopes of gaining some in game currency/ social media followers, the user completes these tasks without realizing that they are a fake operation. According to others, these websites are redirecting to affiliate links.
A fake follower booster site is asking users to complete a survery to get followers.
A younger audience of less tech savvy people may believe the promise of free followers, in-game currency, or gift cards at face value, which is why this type of campaigns is targeted. Young people may be more likely to click on these links if they are looking for ways to cheat.
There are poisoning attacks against the internet.
For the brands
Proactively monitoring search engines will help you become aware of campaigns that are related to your brand early on.
New domain registrations with your brand’s name are monitored.
Requesting removal of websites that abuse your brand logo and name. Bolster has a Phishing & scam solution.
For individual users
Nobody is giving out free followers, gift cards or in-game currencies.
Do not give out your confidential information. This will lead to your accounts being hijacked and possibly sold on dark web markets.
Checkphish.ai is a free community tool that can detect fraudulent websites in a safe sand-box environment.
This is a campaign that has been around for a long time and will continue in the future. NuGet package abuse was one of the ways that threat actors used to poison the results of search engines. Proactive monitoring of your brand mentions, domain registration, and dark web is necessary to protect your brand and customers.
Get a demo of Bolster if you’re trying to protect your brand from such campaigns.
The Bolster Blog is the author of this Security Bloggers Network post. The original post can be found at: https://bolster.ai/blog/search-engine-poisoning.
