Google search results poisoned by banking Trojan

Cyber criminals are using a combination of poisoned Google search results, compromised websites, and malicious Word documents to infect users with a banking Trojan.

The scheme, which was discovered by Cisco Talos, uses Zeus Panda, a notorious malware strain that uses man-in-the-browser keystroke logging and form grabbing to steal banking information.

The poisoned search results suggest that the criminals are targeting people who use the SWIFT banking network, Nordea Sweden, the State Bank of India, India’s Bank of Baroda and Axis Bank, the Commonwealth Bank of Australia, and Saudi Arabia’s Al Rajhi Bank.

How the scheme works

Anyone whose Google search results bring up a malicious link is vulnerable. The hackers’ poisoned links have high ratings and appear frequently in certain search terms, which include:

  • Nordea Sweden bank account number
  • Al Rajhi bank working hours during Ramadan
  • How many digits in Karur Vysya bank account number
  • Free online books for bank clerk exam
  • How to cancel a cheque Commonwealth Bank
  • Salary slip format in Excel with formula free download
  • Bank guarantee format MT760

If the user clicks a compromised link, the page uses JavaScript to trigger a series of redirects that eventually download a malicious Word document.

When the Word document is opened, it displays the message: “To view this content, please click ‘Enable Editing’ from the yellow bar and then click ‘Enable Content’.” The yellow bar in question refers to the security warning Microsoft Office displays when it detects a file with macros in it.

If the user follows these instructions, the macro downloads an executable that infects the system with Zeus Panda.

A curious addition to this version of Zeus Panda is that it won’t activate if it detects a keyboard’s mapping is Russian, Belarusian, Kazak, or Ukranian. Hackers often avoid targeting users from a jurisdiction in which they operate, to avoid attracting attention from local law enforcement. Hackers might also try to avoid certain countries if the attack is state-sponsored or politically motivated.

Protecting yourself from this scheme

The complexity of this scheme makes it harder than most attacks to spot. The malicious link appears at the top of users’ own Google searches, so when the page launches a Word document, it’s easy to think it can be trusted.

The only point at which users can protect themselves is if they suspect that the request to enable macros is illegitimate. Anyone who has been taught about phishing will know that malware is often hidden in macros. Technology does all it can to remind people of this threat, with Word creating a prominent warning whenever it detects a document with macros.

Of course, users are led to believe that the macros are safe because the document supposedly came from a trusted source. The giveaway is that legitimate websites rarely automatically download Word documents to your computer and ask you to override security warnings. It sounds simple when you put it like that, but it’s easy to fall victim if you aren’t aware of the threat that macros present.

If you or your organization wants to learn more about phishing and how to prevent attacks, you should take a look at our Phishing Staff Awareness Course.

This course covers:

  • Different types of phishing
  • What happens when you click a malicious link
  • The methods cyber criminals use
  • The consequences of an attack
  • How to identify a phishing scam

Find out more about our Phishing Staff Awareness Course >>