A new malicious campaign has been uncovered by security researchers, which involves cybercriminals exploiting Google's SEO tool, featured snippets, to redirect users to compromised websites and deliver ransomware.
Malwarebytes researcher Jerome Segura detected the campaign, which was found to be redirecting users clicking on Google's featured snippet links for a hacked Hungarian sports website, to a website called cheapmicrosoftkey.com. The site featured various licence keys for Microsoft products at "discounted" rates.
What are Google's featured snippets?
A featured snippet appears on Google's search page when a user types in a query. It is generally displayed at the top of the search results page and comes with a short summary of the answer to the question asked, which is extracted from a website. The featured snippet also displays the site's URL, page title and provides a link.
"Because of this prominent placement, Blackhat SEO miscreants are extremely interested in featured snippets as they can capture a large amount of traffic and redirect it to any site of their choosing," Segura pointed out.
Ironically, the hackers appeared to have successfully hoodwinked even Google into displaying the compromised Hungarian sports site, as the most relevant answer to a Microsoft Office-related query. This indicates that the hackers running the campaign aimed to attract the most amount of traffic to their websites.
"Buying from such dubious online shops is never a good idea as you might actually purchase stolen merchandise, or worse, get completely scammed," cautioned Segura. "This example is particularly tricky as people would be inclined to trust their search engine for showing them the answer to their question."
Segura also noted that users who chose to click on the Hungarian site directly (bypassing the links provided in featured snippets), were automatically redirected to the Neutrino exploit kit, serving the CripMIC ransomware.
"This is a good example of the multiple ways criminals can monetize a hacked site. It is quite likely in this case that the site was hacked several different times in unrelated automated attacks, perhaps even via the same vulnerability," Segura said.