Hackers have a new tool in their toolbox you should be aware of. Called SEO Poisoning or sometimes “search poisoning” the attack relies on Black Hat SEO techniques to optimize web content.
Researchers from Menlo Security have spotted two separate campaigns one linked to the SolarMarker backdoor and the other leveraging REvil ransomware to infect unsuspecting netizins.
Here’s how the attacks work:
The hackers gain access to legitimate sites that rank well on Google and inject them with a variety of specific search terms.
Because the site is respected and ranks highly on its own surfers who find their way onto the site are more likely to accept that anything on the site is legitimate. The hackers leverage this trust by adding poisoned content to the site. This poisoned content appears in search results to be a PDF file requiring a download in order to view it.
When a user clicks on a download link they seal their fate. Behind the scenes they are redirected multiple times ultimately winding up at a poisoned site controlled by the hackers where a malicious payload is dropped onto the visitor’s device.
Both of these campaigns have leveraged respected WordPress sites taking advantage of an undisclosed flaw in a plugin called ‘Formidable Forms.’ The hackers install their malicious PDFs in the wp-content/uploads/formidable/ folder.
Most attackers who deploy ransomware demand exorbitant fees to regain access to your files. These two campaigns are notable for making much smaller demands ranging between $1,500 and $7,500.
If you have a WordPress site and you use the Formidable Forms plugin download the latest version as soon as possible. The plugin’s developers moved quickly to address the issue and a fix is available. As long as you are running version 5.0.10 or later you should be fine.