BI.ZONE unearths SEO poisoning attacks on accountants

The Watch Wolf hacker group steals money from Russian companies by planting malware on their accountants’ computers. Its approach is far from what one might expect: instead of the tried and true phishing emails, the group is betting on search engine optimization (SEO) to promote fraudulent websites

April 11, 2023

@media only screen and (min-width: 320px) and (max-width: 370px) { .articleDetail .quote__authorName, .articleDetail .quote__text, .eventProgramm__date, .eventProgramm__title, .fs-h5, .h5, .headBlock__text, .headSection--news .headSection__text, .headSection__text, .newsDetail .quote__authorName, .newsDetail .quote__text, .participants__title, .popup__title, .sectionFullImage__text, .stepList .button, .stepList .button span, .stepList__title, .toggleBox .iconLine__title, .toggleBox__title, div.card__title, div.cFiltered__length, div.productDetail__subtitle, div.review__authorName, div.timer__title, div.toggleBox .iconLine__title, div.toggleBox__title, div.toggleEvent__bannerTitle, div.v-banner__title, h5 { font-size: 20px; line-height: 22px; } }

The cybercriminals leverage the so‑called SEO poisoning by enriching their websites with specific keywords related to accounting and buying context advertisements. This approach helps them to push their malicious websites to the top of the search results.

The websites mimic legitimate accounting resources and offer downloadable content, like accounting form templates. When the unsuspecting victims attempt to download such forms in .doc or .xls from the website, they receive an archive from the Discord instant messaging platform. By opening the file, they initiate a hidden process that installs the DarkWatchman trojan. This malware collects information about the compromised system (time zone, language, antivirus programs installed) and deploys the Buhtrap trojan. The latter is used by the Watch Wolf group to withdraw funds from its victim’s bank accounts.

The Watch Wolf has been under our watch since November 2021. The hackers used to administer their attacks through phishing emails, but now they’ve switched to a new approach—the kind we haven’t seen before. This only goes to show that companies must stay abreast the latest cybercrime ploys in order to protect their assets. It is worth mentioning that the Watch Wolf group is also spreading the Buhtrap trojan, which is often the contributor to major financial losses. In the last nine years, the malware has been used by cybercriminals to steal nearly 7 billion rubles from organizations across Russia and the CIS.

Oleg Skulkin

Head of Cyber Threat Intelligence, BI.ZONE

To protect your business against SEO poisoning attacks, you can take advantage of a DNS traffic security solution. Each time you access an external network, the solution analyzes your request to prevent you from interacting with malicious content. DNS traffic security solutions can be integrated with threat intelligence platforms and block requests to blacklisted hosts. Another way to handle hazardous communications is to outsource this task to a security operations center.

For more details about this attack, see the full article.