Researchers at Menlo Labs reported seeing high success rates with SEO poisoning, where attackers are able to bypass usual security measures by delivering malware to online users by artificially inflating their malicious pages via search optimization.
While attacks using SEO poisoning is not new, the researchers noted on the Menlo Labs blog that their volume and complexity have increased in recent months as the use of business and personal devices becomes even more blurred as many employees work online from home during the pandemic.
“In these attacks, threat actors turn advances in web browsers and browser capabilities to their advantage to deliver ransomware, steal credentials, and drop malware directly to their targets,” the researchers wrote.
Menlo Security has witnessed at least two active campaigns on its customers: the Gootloader campaign has dropped REvil ransomware, while the SolarMarker campaign added the SolarMarker backdoor.
At least 2,000 unique search terms have led to malicious sites, which directs users to download a payload via PDF. All of the compromised sites, which included well-known educational and government sites, were WordPress sites and delivered the PDF via the Formidable Forms plugin.
Menlo Labs said that it appeared that the plugin has since been updated, and they have notified all of the compromised sites about the vulnerability and the PDFs have been removed.