Hackers 'poison' Google search results to spread stealth banking malware

Hackers are taking advantage of Google's algorithms to infect people with banking malware, gaming the system by using search engine optimisation (SEO) tactics, research suggests.

Talos, a cybersecurity division of technology firm Cisco, found that hackers were using compromised websites and specific sets of back-end keywords in order to rank highly for some search results. The attack was unique as, unlike other operations, it did not involve the use of email.

The malicious payload used in the campaign was a new version of "Zeus Panda", a financial Trojan designed to steal bank information and login details.

In several cases, Cisco found the hackers, who remain unknown, were able to get their "poisoned" results displayed on the first page of searches.

Hijacked terms included "free online books for bank clerk exam", "axis bank mobile banking download link" and "how to cancel a cheque commonwealth bank".

In a blog post, researchers said that some geographic regions were found to be highly targeted, including a number of banks located in India and the Middle East.

If a victim clicks the booby-trapped link they are redirected to a compromised website that serves up a malicious Microsoft Word document. If opened, the Trojan can be set free.

"It has become common for users to use Google to find information that they do not know. In a quick Google search you can find practically anything," the Cisco Talos team wrote.

"Links returned by a Google search, however, are not guaranteed to be safe.

"In this situation, the threat actors decided to take advantage of this behaviour by using search engine optimisation to make their malicious links more prevalent in the search results, enabling them to target users with the Zeus Panda banking Trojan.

"By poisoning the search results for specific banking related keywords, the attackers were able to effectively target specific users in a novel fashion."

The researchers said that the SEO discovery was yet more evidence that hackers and cybercriminals will always try to stay one step ahead of the game, and will continue to uncover new techniques to spread spam, malware and viruses to unsuspecting internet users.

They stressed that users must "remain vigilant and think twice before clicking a link, opening an attachment or even blinding trusting the results of a Google search."

You can read the full Cisco Talos research here.