Cybersecurity researchers have discovered a new malware to try Google to handle compromised websites as trustful sources and to introduce innocent users to their search queries on the platform with "perfect matches."
According to the Study of Naked Protection (Naked Safety), the global cybersecurity company's threat intelligence unit, hackers use the software dubbed as "gootloader" to attract "well-intended users," to mount their computers.
The malware family Gootkit has been about half a decade — a mature Trojan with banking credential theft capabilities. However, over the last years, the malware itself has made just as much effort to develop its distribution system.
That's the way the Operandi functions. Hackers breed hundreds of artificially created web servers and inject content containing phrases that search engines are likely to link to expertise in a particular field such as real estate, employment law, import/export rules, corporate partnerships, etc.
"They get lucky from time to time and, with a particular search term entered by an innocent user, one of their pirated pages becomes a Google hit," says the article.
There is a fair chance of the user clicking the Google link that appears, because the search hit is not a paid ad or a supported link, but looks like a normal search outcome.
When the user clicks on the compromised server, the crooks recognize that the click has been searched through Google by using the web request referer. A fake web page, which looks like a board on which someone else has recently asked for the same thing, will intentionally be sent.
"The answer, obviously from the original questioner, is further to make the page look even more compelling and thanks to the administrator for his fast and helpful response."
The Sophos article was still to be reacted by Google. In several languages including English, German, French and Korean, SophosLabs met Gootloader falsified message board pages with various campaigns targeting various regions.
"The trick to check for poisoning works because the website you are visiting seems well suited for your search, which is too much a coincidence to be expected," the researchers said.