U.S midterm election keywords used as bait in recent SEO poisoning campaign

A new SEO poisoning campaign is using U.S midterm election keywords as a bait to lure victims into multiple scam sites, adult sites and websites pushing unwanted or malicious software. The attackers involved in this campaign seem to have hacked multiple websites to promote keywords. However, it is unknown how the hackers have managed to compromise these websites.

The poisoning campaign was reported by Zscaler today, in which researchers showed different Google search yielding malicious URL’s. Also, as the U.S midterm elections are nearing, the attackers are leveraging keywords related to the U.S politics as bait to entice user’s into visiting these sites.

“After about a month of looking at this “midterm elections” SEO poisoning campaign, we found more than 10,000 compromised websites with more than 15,000 keywords, and we continue to find hundreds of newly compromised sites involved in this activity every day,” said Zscaler researchers.

SEO Poisoning

SEO poisoning or search engine poisoning is a technique used by cybercriminals to make their malicious URL’s appear up prominently in search results. The malicious sites are associated with keywords that a large number of people are likely to be used in searches at a given time, such as holidays, news items or viral videos.

Typically, a hacker creates or compromises a website and associates the site with popular and trending topics using keywords.

“U.S Midterm elections” campaign

Attackers are now using the nearing U.S midterm elections as it generates a lot of search interest. The sites belonging to this campaign can be identified by their URL structure, which is [domain]/[random-folder]/[random].php?[random_variable]=[keyword].

According to Zscaler, these pages will display different content depending on who is visiting the page. However, a general user will be redirected to multiple redirects and finally land at a page that pushes scams, adult website, unwanted browser extension or exploit kits, said Zscaler report.

According to the researchers, the redirection process involves two different modes of operation. In one mode, the user goes through multiple redirects to finally land on the malicious page. Otherwise, users are redirected to a Malware-as-a-service platform, which starts another redirection chain leading to the final landing page.

A fake Java program promoting users to install a mining trojan was also found by researchers. However, this is just one such example, said researchers.