Cybercriminals Manipulate Google Search Results to Distribute Malware via Fake VPN Solutions https://lnkd.in/dKwq3yBE
Cybercriminals Manipulate Google Search Results to Distribute Malware via Fake VPN Solutions Threat actors are impersonating GlobalProtect VPN software to deliver malicious payloads to users who trust the top results on Google Search, according to a warning from Palo Alto Networks. This marks a departure from typical phishing attacks. In June 2024, researchers Networks' security division, uncovered this new malicious campaign. Exploiting the GlobalProtect VPN brand, the attackers placed ads on Google Search that appeared above other results, directing users to a harmful website. The landing pages imitated authentic Palo Alto websites for GlobalProtect and tricked users into downloading a disguised malware loader, WikiLoader. WikiLoader can download additional payloads, steal information, and provide attackers with remote access. This loader-for-rent has been active since at least late 2022, and it’s been updated with “some unique tricks.” Researchers believe that initial access brokers – threat actors specializing in gaining access to computer systems – are shifting from phishing to delivery through SEO (search engine optimization) poisoning. SEO poisoning means that attacker-controlled sites appear on the front page of search results instead of legitimate products. Hackers attempt this by purchasing advertisements or improving page rank. Researchers warn that SEO poisoning broadens the scope of potential victims and have already observed some organizations in the US higher education and transportation sectors affected by WikiLoader.