Trend Micro and Collaborating Japanese Entities Uncover Concealed Associations Among SEO Malware Operations

Summary

• In an in-depth study conducted jointly by Trend Micro and academic partners from Kagawa University, as well as law enforcement bodies including Kanagawa Prefectural Police Headquarters, Chiba Prefectural Police Headquarters, and Japan Cybercrime Control Center, exploration was carried out to reveal the connections among various SEO malware families.
• Their investigation unraveled the strategies employed by threat actors to exploit SEO poisoning techniques, redirecting unsuspecting users towards counterfeit online shopping platforms.
• The analysis identified three distinct clusters of threat actors, with each group utilizing a specific malware family, while one group demonstrated a preference for employing multiple malware families.
• Further scrutiny unveiled that a particular malware family’s Command and Control (C&C) servers shared a confined number of extensive bogus e-commerce site sets, unlike the rest of the malware families that maintained separate listings.
• These revelations were extensively elaborated at the 2024 7^th IEEE Conference on Dependable and Secure Computing, where the study was acknowledged with the Best Paper Award.

Recent research efforts carried out by Trend Micro experts delved into examining the interrelation among multiple malevolent search engine optimization (SEO) malware families. Through an analysis of data extracted from Command-and-Control (C&C) servers associated with diverse types of SEO malware and counterfeit e-commerce sites, distinctive clusters of SEO malware families, their shared infrastructure to enhance the efficiency of SEO poisoning assaults, and their involvement in orchestrating e-commerce scams were unveiled.

This initiative was a collaborative endeavor with several Japanese entities, specifically Kagawa University, Kanagawa Prefectural Police Headquarters, Chiba Prefectural Police Headquarters, and Japan Cybercrime Control Center (JC3). The research manuscript entitled, “An analysis of the relationship between Black-hat SEO malware families leveraging information from redirected fake E-commerce scam sites”, was showcased at the 7^th IEEE Conference on Dependable and Secure Computing (DSC2024), earning the research team the esteemed Best Paper Award for their valuable contribution.

This document encapsulates the abstract of the paper, the analytical outcomes, and significant contributions, all of which are further elucidated in the comprehensive research paper.

Exploitation of SEO Poisoning by Counterfeit E-commerce Scams in Japan

In recent times, there has been a surge in the proliferation of counterfeit e-commerce platforms aimed at deceiving individuals or pilfering their personal data, resulting in substantial financial repercussions on society. Moreover, in Japan, the incidence of reported counterfeit e-commerce sites is on the rise, with a JC3 report revealing that 47,278 such sites were reported to JC3 in 2023, marking an increase from the 28,818 sites reported in the prior year.

Perpetrators behind counterfeit e-commerce sites resort to embedding malware in compromised websites for blackhat SEO purposes: This malware executes SEO poisoning, coercing search engines to exhibit the perpetrators’ deceitful pages as originating from the compromised sites. These bogus pages subsequently reroute users from search engines to sham e-commerce sites, exposing them to potential victimization. This study hones in on threat actors employing this stratagem, where malware operating on compromised websites for this objective is identified as “SEO malware”.

These SEO malware are implanted into compromised websites to intercept server requests, serving up malicious content. This enables threat actors to dispatch a customized sitemap to search engines and index fabricated lure pages. This obfuscates search results, making the URLs of compromised websites surface in searches for items they do not retail. Consequently, search engine users are steered towards these sites. The SEO malware then intercepts the request handler and forwards the user’s browser to fake e-commerce sites. Particularly, the practice of using Japanese keywords to redirect search results to counterfeit Japanese e-commerce sites is recognized as the Japanese keyword hack.

Examination and Outcomes

Delving into this malevolent SEO technique, the study seeks to elucidate the attributes of the threat actors orchestrating it. To this end, data sourced from 1,242 Command-and-Control (C&C) servers of six distinctive SEO malware families yielded 227,828 counterfeit e-commerce sites for analysis (Table 1). Post data aggregation, our Web Reputation (WRS) technology was promptly upgraded to block access to these sites, shielding users from exposure.

Table 1. Distinct SEO malware families identified via VirusTotal

Subsequently, we employed Maltego, a prevalent link analysis utility, to scrutinize the connections among these entities. By establishing four links to formulate a Maltego graph, as depicted in Figure 1, the experiment outcomes (Figure 2) denote a potential scenario where three clusters of threat actors exclusively adopt a single malware family unique to each cluster, while a solitary group resorts to employing multiple malware families.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts