BI.ZONE unearths SEO poisoning attacks on accountants
The cybercriminals leverage the so‑called SEO poisoning by enriching their websites with specific keywords related to accounting and buying context advertisements. This approach helps them to push their malicious websites to the top of the search results.
The websites mimic legitimate accounting resources and offer downloadable content, like accounting form templates. When the unsuspecting victims attempt to download such forms in .doc or .xls from the website, they receive an archive from the Discord instant messaging platform. By opening the file, they initiate a hidden process that installs the DarkWatchman trojan. This malware collects information about the compromised system (time zone, language, antivirus programs installed) and deploys the Buhtrap trojan. The latter is used by the Watch Wolf group to withdraw funds from its victim’s bank accounts.
To protect your business against SEO poisoning attacks, you can take advantage of a DNS traffic security solution. Each time you access an external network, the solution analyzes your request to prevent you from interacting with malicious content. DNS traffic security solutions can be integrated with threat intelligence platforms and block requests to blacklisted hosts. Another way to handle hazardous communications is to outsource this task to a security operations center.
For more details about this attack, see the full article.