Attackers Use SEO to Steal Bank Credentials; Hilton Settles for $700K

Attackers Use SEO to Steal Bank Credentials; Hilton Settles for $700K
November 3, 2017 Marketing GrafWebCUSO

San Jose, Calif.-based Cisco Talos revealed threat actors used search engine optimization to target specific users with the Zeus Panda, a banking Trojan designed to steal banking and other sensitive credentials.

The attackers used malicious links more prevalent in Google search results to target numerous keyword groups, with most tailored towards banking or financial-related information that potential victims might search. By poisoning the results for banking and financial keywords, the attackers were able to effectively target an audience that regularly uses financial platforms, providing the attacker a quicker way to obtain credentials, banking and credit card information.

By targeting primarily financial-related keyword searches and ensuring the display of malicious results, the attacker also maximized the potential conversion rate of their infections, the blog post authored by Edmund Brumaghin, Earl Carter and Emmanuel Tacheau strongly suggested. “They can be confident that infected users will be regularly using various financial platforms and thus will enable the attacker to quickly obtain credentials, banking and credit card information, etc.”

The overall configuration and operation of the infrastructure used to distribute this malware did not rely on circulation methods regularly used for the distribution of malware. “This is another example of how attackers regularly refine and change their techniques and illustrates why ongoing consumption of threat intelligence is essential for ensuring that organizations remain protected against new threats over time,” the Talos authors explained.

The initial vector used to initiate this infection process does not appear to be email based. In this campaign, the attacker(s) targeted specific sets of likely-queried search keywords of potential targets using search engines such as Google. By leveraging compromised web servers, the attacker ensured high ranking of their malicious results within search engines, thus increasing the likelihood of clicks by potential victims. In most instances, the attacker got their poisoned results displayed several times on Page 1 of the Search Engine Results Page for the maliciously-linked keywords.

In cases where victims attempted to browse to the pages hosted on these compromised servers, they would initiate a multi-stage malware infection process.

In other cybersecurity-related news, international hotel chain Hilton reached a $700,000 settlement agreement with two states over two separate data breaches discovered in 2015 that exposed more than 360,000 payment card numbers.

New York Attorney General Eric T. Schneiderman said the probe, conducted with the Vermont attorney general, revealed that Hilton did not provide consumers with timely notice and did not maintain reasonable security.

The settlement requires Hilton to provide immediate notice to consumers affected by a breach, maintain comprehensive information security program, and conduct data security assessments.

New York’s Bureau of Internet and Technology investigators said they found Hilton did not maintain reasonable data security and also failed to comply with the Payment Card Industry Data Security Standard.

“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible,” Schneiderman said. “Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers’ personal information.”

New York will receive $400,000 of the settlement; Vermont will receive $300,000.

In August 2016 NAFCU President and CEO Dan Berger issued a statement following a string of hotel breaches including HEI Hotels & Resorts, Hyatt Hotels and Starwood Hotels & Resorts: “These hotel data breaches, many of which are repeat offenses, as well as the latest data breach to Oracle’s point-of-sale systems, affirm the urgency with which Congress needs to pass strong national data security standards for retailers.”