Google Search Poisoning Used to Spread Zeus Panda Trojan

Google search poisoning is being used by cybercriminals to get malicious links ranking highly in the organic search listings.

Websites that rank highly in the organic search listings attract the lion’s share of traffic. Ranking highly for popular keyword terms can therefore deliver thousands of visitors.

Google scans websites and if malware is found on a webpage, the page will be marked as malicious and will be removed from the listings by Google. However, if the websites contain hyperlinks to other websites, readers of those sites may visit those links and be directed to malicious sites. It takes longer for Google to recognize these malicious links and penalize the sites that have them included. This buys the attackers extra time.

There is a problem with this approach. Conducting search optimization on new webpages, especially for high traffic search terms, is not a quick process. Many businesses compete for these high traffic keywords and there is a lot of competition. This approach is labor intensive. However, there is a way to make Google search poisoning pay off and be worth the effort.

Researchers from Cisco have discovered that this technique is being used to spread malware – the Zeus Panda Banking Trojan. The keywords being targeted are related to banking and finance.

Rather than develop new sites or webpages and using search engine optimization techniques to rise up the organic listings, legitimate websites that are already ranking highly are hijacked. In this case, the attackers are targeting sites that rank highly for finance and banking related search terms. In some cases, SEO is improved on the hijacked pages with the addition of specific keywords. Links to malicious websites are then inserted in the pages.

This form of Google search poisoning requires websites to be compromised, but since many sites have weak login credentials that are susceptible to brute force attacks, the approach can be a quick and easy way to steal web traffic. The attack is being targeted in specific geographical regions, such as the Middle East and India.

Cisco reports that one such search term that was receiving a considerable amount of traffic was “al rajhi bank working hours in Ramadan.” The website that ranked highly for this search term was hijacked and malicious links were inserted.

In addition to the use of links in a compromised webpage, the number of redirects to malicious sites can be increased by using JavaScript to redirect web users to an intermediary site. JavaScript on that intermediary site results in a HTTP GET request, that delivers the visitor to another site where malware is downloaded in a document, which if opened and content enabled, will deliver the malicious payload.

Cisco points out that Google search poisoning is not new, but it previously been associated with phishing, not the downloading of malware. The Google search poisoning method of malware delivery shows how cybercriminals are diversifying their attack methods and how web surfers must exercise caution even when visiting seemingly genuine websites.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of