Taking advantage of people looking for advice online, cybercriminals are now setting up traps in the form of fake forums, research reveals.
The study by cybersecurity firm Sophos explains that criminals would manipulate search engine optimisation (SEO) so that when someone types a question, hacked websites appear among the top results.
The criminals would earlier hack into legitimate websites and subtly alter the content, enabling it to show different content to different visitors.
Sophos threat research director Gabor Szappanos said the content that users see depends on their country location. For instance, if they are from a country that is not a target, they are shown benign fake web content and nothing happens.
However, if the user is from one of the targeted countries, they are shown a page featuring a fake discussion forum on whatever topic was queried, using the same terms they typed into the search engine.
Szappanos warned that the fake discussion forum would have a post from someone claiming to be a site administrator, with a comment prompting visitors to download a link. The link is a malicious file, and if downloaded will start the next stage of infection.
Sophos has named the infection method Gootloader, reflecting how it loads Gootkit financial malware, which in turn paves a way for other malware, including ransomware.
He said Gootloader is currently delivering Kronos financial malware in Germany, plus a post-exploitation tool called Cobalt Strike in the United States and South Korea. Earlier operations also targeted France.
“The developers behind Gootkit appear to have shifted resources from delivering just their own financial malware to steal credentials to creating a stealthy, complex delivery platform for all kinds of payloads,” said Szappanos.
He added that Gootloader’s creators are using a number of social engineering tricks that can fool even technically skilled IT users.
He said there are a few warning signs for users to look out for, such as search results that point to websites that have no logical connection to the advice they appear to offer, which display advice or download links that precisely match the search terms used in the initial question.
Szappanos suggested Windows users to turn off the “Hide Extensions for Known File Types” view setting in the Windows file explorer, which would enable users to see that the .zip download delivered by the attackers contains a file with a .js extension
Alternately, users can install script blockers like NoScript for Firefox, which would prevent the hacked web page from appearing in the first place.