14 DAY TRIAL // Researchers from Malwarebytes have discovered a campaign that abuses Google search featured snippets to show links to compromised websites that eventually redirect users to online scams or even exploit kits spreading ransomware.
The campaign relies on crooks identifying websites that get listed in "featured snippets," a Google feature that shows answers to common user questions.
Most of the times, these links lead to safe websites such as Wikipedia, but in some cases, they are also on personal blogs or news sites.
Gaming SEO search results
In an active campaign detected by Jerome Segura of Malwarebytes, crooks were redirecting users from a featured snippet for a Hungarian site to an online store where they were selling product keys for Microsoft Office.
If the user felt something was wrong when they clicked on a domain and ended up on another, by accessing the Hungarian site, they would actually be redirected to a page hosting the Neutrino exploit kit, which in turn would infect them with the CryptMIC ransomware.
The weird thing in this infection is that hackers even managed to trick Google's search engine to classify the original website, a sports-related portal, as the best answer for an Office-related question, meaning Google has two problems instead of one.
Gaming SEO results isn't something new by any means, but you'd expect this to happen with regular search results, not featured snippets.
Searching for "promoted sites" to hack
Additionally, crooks could also actively search for third-party websites listed in featured snippets that are running vulnerable CMSs.
After hacking these websites, attackers could employ the same scenario as above, hijacking the site's traffic that comes via Google's featured snippet, which can be quite considerable.
Crooks do not necessarily need to alter Google search rankings to insert malicious featured snippets, and could very easily go after sites already in this privileged position.
