New Jersey Organizations’ WordPress Sites Are Under Direct Attack From SEO Poisoning

Let Baroan Technologies help keep your organization safe. Schedule your free IT services quote with one of our IT consultants.
Spread the love

New Jersey Organizations’ WordPress Sites Are Under Direct Attack From SEO Poisoning

We have seen an increase in attacks designed to target individuals, versus attacks on businesses and organizations, disregarding traditional security measures. Two recent incidents we are tracking at Baroan Technologies are campaigns that have been linked to the REvil ransomware gang or the SolarMarker backdoor. These active campaigns are using SEO poisoning to target unsuspecting internet users. Unfortunately, these recent attacks have generated high success rates in their quest to serve malicious payloads to customers. These types of highly elusive attacks have been seen before, but the volume, pace, and intricacies of the most recent attacks have increased in recent months. An SEO Poisoning attack, also referred to as a “search poisoning” attack, relies on Black Hat SEO techniques to optimize web content.

SEO (Search Engine Optimization) for Ransomware

SEO poisoning from malware distributors is rising rapidly. Bad actors implant keywords into websites. These keywords can cover thousands of different search terms. The enhanced websites will appear in the search results in the form of a PDF file and when visited by users. In return, users will be prompted to download an infected document. When the user navigates to the download option, the user will be redirected to a thread of different sites that will deliver a malicious payload. Bad actors operators will be able to use these redirects to prevent their deceptive website from being suppressed from search results due to presenting malicious content. In the campaigns we mentioned earlier, the bad actors were utilizing REvil ransomware by using the SolarMarker backdoor or Gootloader.

What is SEO Poisoning?

SEO poisoning is comprised of bad actors creating malicious websites and making use of SEO (search engine optimization) techniques to help them show up prominently in search results. When a user visits a website, the user will be prompted to download a file. Any user that clicks the file will be redirected through various websites that eventually drop a malicious payload. In one of the more recent instances, bad actors invaded legitimate WordPress sites that were already known to have a high Google search ranking and exploited various vulnerabilities that were discovered in the ‘Formidable Forms’ plug-in. The Formidable Forms plug-in is a form builder plugin that makes forms easy, powerful, and extendable. Since bad actors are injecting ransomware into sites that are respected and highly-ranked on their own, online searchers who find their way onto those high-ranking websites are more likely to believe that anything on the website is legitimate. Unfortunately, the bad actors will use this level of trust to their advantage by adding malicious content to the site. This malicious content appears in search results as a PDF file, requiring users to download the file in order to view it. Out of all the website categories that were targeted by the bad actors, business websites ranked extremely high. Following business websites were Non-Profit organizations and Health and Medicine. These malicious campaigns are using the ”spray and pray” method. This method is becoming more common as the cyber threat landscape continues to grow. The ”spray and pray” method infects targets that are not able to pay hefty ransoms. The ”spray and pray” method can infect at a much higher rate compared to targeting specific businesses and organizations. On the other hand, smaller ransom requests could lead to significantly high payouts for cybercriminals.

How Does The SEO Poisoning Tactic Work?

Attackers use SEO poisoning techniques to falsely increase the ranking of their malicious web pages. The attack works in the following way:
  • A user searches for something using Google or another search engine.
  • Websites that have been compromised and host a malicious PDF will be displayed in the search results.
  • The user clicks on the infected SEO link.
  • The user stumbles upon the malicious PDF.
  • If the user clicks on any of the download buttons, the user will be taken through several HTTP redirections. Ultimately, a malicious payload will be downloaded.
  • The injected payloads can be of different sizes.

WordPress and Its Current Vulnerabilities

In the recent ransomware attacks, the bad actors did not create malicious websites on their own. The threat actors hacked legitimate WordPress sites that already had a very high Google search ranking. How were threat actors able to hack high-ranking WordPress websites? The WordPress websites were hacked by actors who exposed a vulnerability in a WordPress plugin. The threat actors used the vulnerability in the WordPress plugin to upload infected PDF files into the plugin’s content folder. Dating back to 2012, the first established forms of ransomware did not use forms of encryption. These previous forms of ransomware involved the use of web redirects and ultimately impersonated the websites of the FBI and law enforcement agencies. When these types of ransomware attacks were first observed, the bad actors would cast their nets far and wide for their stealthy attacks with the hope of infecting as many victims as possible. Now, after nearly a decade, not only have times changed but so have the techniques and tactics of cybercriminals. Today’s well-known ransomware gangs are going after high-value businesses and organizations in their attempt to be paid millions of dollars. There are some threat actors who are associated with the REvil gang, and those threat operators are not as selective when it comes to choosing their targets. Today, there have been more attacks targeting businesses of different sizes, from established businesses and organizations to small start-ups in New Jersey. These threat operators have been known to request ransom payments below $2,000, with the requested amount dependent upon the individual or group behind the attack.

Defend Your SEO Organization Against SEO Poisoning

If you have a WordPress site and you are currently using the ”Formidable Forms” plugin, we advise you to download the latest version as soon as possible. The ”Formidable Forms” developers took swift action to quickly address the issue. Currently, there is a fix available. If you do have a WordPress site, make sure you are running the latest versions of your plug-ins. Attackers can quickly take advantage of vulnerable sites to launch their malicious campaigns. Attackers continue to find ways to exploit vulnerabilities and the increased usage of online platforms. These attacks have been successful because they have been designed to target users by bypassing traditional methods of detection. Specializing in highly-responsive IT support, managed IT services, and consulting for organizations throughout New Jersey, Baroan Technologies will implement comprehensive cybersecurity measures that can adapt to today’s fast-evolving cyberattack methods. By practicing safe browsing practices and implementing necessary technical and IT controls, you will minimize your organization’s chances of being compromised by an SEO poisoning attack. Let Baroan Technologies help keep your organization safe. Schedule your free IT services quote with one of our IT consultants. Call us today at (201) 796-0404 or feel free to email us at

Information Technology Aligned With Your Business Goals?
Baroan is a complete IT services & IT support company working with organizations in Elmwood Park and across the United States of America.

Written by Guy Baroan 
By: Guy Baroan 
/ /