Summary
- Trend Micro, in a joint study with Kagawa University, Kanagawa Prefectural Police Headquarters, Chiba Prefectural Police Headquarters, and Japan Cybercrime Control Center, investigated the relationships among multiple SEO malware families.
- Their research identified how threat actors use SEO poisoning tactics to redirect users to fake e-commerce sites.
- They identified three groups of threat actors each using a unique malware family, while one group used multiple malware families.
- Further analysis also showed that one malware family’s C&C servers shared a limited number of large fake e-commerce site sets, unlike other malware families that managed independent lists.
- These findings were presented in depth at the 2024 7th IEEE Conference on Dependable and Secure Computing, where it received the Best Paper Award.
Trend Micro researchers recently conducted a research project that analyzed the relationship among multiple blackhat search engine optimization (SEO) malware families. By analyzing data from command-and-control (C&C) servers of different types of SEO malware and fake shopping sites, they were able to identify distinct groups of SEO malware families, how these share infrastructure to maximize the effectiveness of SEO poisoning attacks, and their role in orchestrating e-commerce scams.
This project was carried out in partnership with Japanese several organizations, namely Kagawa University, Kanagawa Prefectural Police Headquarters, Chiba Prefectural Police Headquarters, and Japan Cybercrime Control Center (JC3). Their research paper titled, “An analysis of the relationship between Black-hat SEO malware families leveraging information from redirected fake E-commerce scam sites”, was presented at the 7th IEEE Conference on Dependable and Secure Computing (DSC2024), where the researchers received the Best Paper Award for their contribution.
This article provides an abstract of the paper, the results of the analysis, and key contributions, all of which the paper explains in further detail.
Fake e-commerce scams in Japan leveraging SEO poisoning
Recently, the number of fake e-commerce sites that aim to defraud people or steal their personal information has been increasing, resulting in significant financial damage to society. Additionally, in Japan, the number of reported fake e-commerce sites is on the rise: According to a JC3 report, 47,278 fake e-commerce sites were reported to JC3 in 2023, an increase from the 28,818 sites reported the previous year.
Some threat actors behind fake e-commerce sites install malware in compromised websites for blackhat SEO purposes: The malware conducts SEO poisoning, making search engines display the threat actors’ lure pages as if these were placed on the compromised websites. The lure pages then redirect visitors from search engines to fake e-commerce sites to potentially victimize them. In this study, we focus on the threat actors that use this tactic; we refer to the malware running on compromised websites for this purpose as “SEO malware”.
These SEO malware are installed into compromised websites to intercept web server requests and return malicious contents. By doing so, threat actors can send a crafted sitemap to search engines and index generated lure pages. This contaminates the search results, making the URLs of compromised websites appear in searches for product names they do not actually handle. Consequently, search engine users are directed to visit these sites. The SEO malware then intercepts the request handler and redirects the user’s browser to fake e-commerce sites. Specifically, the technique of using Japanese keywords to redirect search results to fake Japanese e-commerce sites is known as the Japanese keyword hack.
Analysis and results
In this study, we focus on this blackhat SEO technique and aim to shed light on the characteristics of the threat actors behind it. To do so, we collected data from 227,828 fake e-commerce sites obtained from 1,242 command-and-control (C&C) servers of six SEO malware families (Table 1). Upon collection, we immediately improved our Web Reputation (WRS) technology so that it blocks these sites and prevents users from accessing them.
Malware family ID | Identifying characteristics |
A | C&C host name is formatted as “<four digits>-ch4-v<two or three digits>”. The numbers are increasing over time. Sometimes a specific obfuscation algorithm is applied. |
B | Communicate with C&C servers by HTTP POST method. C&C server URL contains a string like “z<five digits> <one or two digits>”. |
C | A function named doutdo or smoutdo is used. C&C server URL is hard-coded as a rot13-encoded hex-escaped string. |
D | Replies a part of C&C server host name and “ok” on request to /jp2023. C&C host name consists of three to four characters of prefix and subsequent three digits. |
E | Replies a part of C&C server host name and “beautiful” on request to /jp2023. Some variants do not have a hard-coded part of handling /jp2023. C&C host name consists of three or four characters of prefix and subsequent three digits. |
F | Replies contents retrieved from its C&C server on request to /jp2023. C&C host name consists of “cw” and subsequent three digits. |
Then, we analyzed the links between them using Maltego, a popular link analysis tool. We defined four links to create a Maltego graph, as depicted in Figure 1. The experiment’s results (Figure 2) suggest the possibility that three groups of threat actors use only one malware family that is unique to each group, whereas one group uses multiple malware families.