Summary
- Trend Micro, in a joint study with Kagawa University, Kanagawa Prefectural Police Headquarters, Chiba Prefectural Police Headquarters, and Japan Cybercrime Control Centre, investigated the relationships amongst multiple SEO malware families.
- Their research identified how threat actors use SEO poisoning tactics to redirect users to fake e-commerce sites.
- They identified three groups of threat actors each using a unique malware family, while one group used multiple malware families.
- Further analysis also showed that one malware family's C&C servers shared a limited number of large fake e-commerce site sets, unlike other malware families that managed independent lists.
- These findings were presented in depth at the 2024 7th IEEE Conference on Dependable and Secure Computing, where it received the Best Paper Award.
Trend Micro researchers recently conducted a research project that analysed the relationship amongst multiple blackhat search engine optimisation (SEO) malware families. By analysing data from command-and-control (C&C) servers of different types of SEO malware and fake shopping sites, they were able to identify distinct groups of SEO malware families, how these share infrastructure to maximise the effectiveness of SEO poisoning attacks, and their role in orchestrating e-commerce scams.
This project was carried out in partnership with Japanese several organisations, namely Kagawa University, Kanagawa Prefectural Police Headquarters, Chiba Prefectural Police Headquarters, and Japan Cybercrime Control Centre (JC3). Their research paper titled, “An analysis of the relationship between Black-hat SEO malware families leveraging information from redirected fake E-commerce scam sites”, was presented at the 7th IEEE Conference on Dependable and Secure Computing (DSC2024), where the researchers received the Best Paper Award for their contribution.
This article provides an abstract of the paper, the results of the analysis, and key contributions, all of which the paper explains in further detail.
Fake e-commerce scams in Japan leveraging SEO poisoning
Recently, the number of fake e-commerce sites that aim to defraud people or steal their personal information has been increasing, resulting in significant financial damage to society. Additionally, in Japan, the number of reported fake e-commerce sites is on the rise: According to a JC3 report, 47,278 fake e-commerce sites were reported to JC3 in 2023, an increase from the 28,818 sites reported the previous year.
Some threat actors behind fake e-commerce sites instal malware in compromised websites for blackhat SEO purposes: The malware conducts SEO poisoning, making search engines display the threat actors’ lure pages as if these were placed on the compromised websites. The lure pages then redirect visitors from search engines to fake e-commerce sites to potentially victimise them. In this study, we focus on the threat actors that use this tactic; we refer to the malware running on compromised websites for this purpose as “SEO malware”.
These SEO malware are installed into compromised websites to intercept web server requests and return malicious contents. By doing so, threat actors can send a crafted sitemap to search engines and index generated lure pages. This contaminates the search results, making the URLs of compromised websites appear in searches for product names they do not actually handle. Consequently, search engine users are directed to visit these sites. The SEO malware then intercepts the request handler and redirects the user’s browser to fake e-commerce sites. Specifically, the technique of using Japanese keywords to redirect search results to fake Japanese e-commerce sites is known as the Japanese keyword hack.
Analysis and results
In this study, we focus on this blackhat SEO technique and aim to shed light on the characteristics of the threat actors behind it. To do so, we collected data from 227,828 fake e-commerce sites obtained from 1,242 command-and-control (C&C) servers of six SEO malware families (Table 1). Upon collection, we immediately improved our Web Reputation (WRS) technology so that it blocks these sites and prevents users from accessing them.
Malware family ID | Identifying characteristics |
A | C&C host name is formatted as “<four digits>-ch4-v<two or three digits>”. The numbers are increasing over time. Sometimes a specific obfuscation algorithm is applied. |
B | Communicate with C&C servers by HTTP POST method. C&C server URL contains a string like “z<five digits> <one or two digits>”. |
C | A function named doutdo or smoutdo is used. C&C server URL is hard-coded as a rot13-encoded hex-escaped string. |
D | Replies a part of C&C server host name and “ok” on request to /jp2023. C&C host name consists of three to four characters of prefix and subsequent three digits. |
E | Replies a part of C&C server host name and “beautiful” on request to /jp2023. Some variants do not have a hard-coded part of handling /jp2023. C&C host name consists of three or four characters of prefix and subsequent three digits. |
F | Replies contents retrieved from its C&C server on request to /jp2023. C&C host name consists of “cw” and subsequent three digits. |
Then, we analysed the links between them using Maltego, a popular link analysis tool. We defined four links to create a Maltego graph, as depicted in Figure 1. The experiment’s results (Figure 2) suggest the possibility that three groups of threat actors use only one malware family that is unique to each group, whereas one group uses multiple malware families.
Furthermore, by examining the groups obtained from this analysis and the data from the fake shopping sites, we gained insight into the infrastructure of the criminal groups: For example, while malware A, C, D, E, and F managed independent lists of fake shopping sites on different C&C servers, malware B appeared to share a list of a few large fake shopping sites across C&C servers.
Protecting users against e-commerce scams
E-commerce users need to be very cautious when looking for products via search engines and when using a shopping site for the first time to avoid falling victim to fake shopping sites. They should check for tell-tale signs of fraudulent behaviour, such as:
- Suspicious URLs that contain an uncommon domain name
- Prices that are unusually cheap compared to the product’s usual market price
- Products that are not typically seen on major shopping sites, but are being sold at a discount
- Sites that handle a large and diverse range of products despite not being a major retail site
- Sites that impersonate a major brand
- Sites that claim to be a "speciality store" but are selling completely unrelated items
- The site’s information does not match the company's information and location
Users can use Trend Micro Check to verify the legitimacy of a website address. Additionally, Trend Micro's Web Reputation Service (WRS) protects users from fake shopping sites by blocking access to any sites that Trend Micro confirms as fake shopping sites.
On their end, web administrators should always be vigilant regarding account theft and website vulnerabilities to prevent website tampering. Administrators should remain up-to-date on the latest news about vulnerabilities, and their passwords should be highly complex. Trend Micro Deep Security™ also provides virtual patching to defend servers against unpatched vulnerabilities and features to monitor unexpected system changes to detect and address suspicious activities early.
Trend Micro will continue to collaborate closely with various organisations to address the damage caused by fake shopping sites, as we carry on our mission to secure today’s connected world.