Black Hat SEO tactics are being used to manipulate search engine results and distribute malware through AI-themed websites. Recent research by Zscaler ThreatLabz has uncovered a scheme where threat actors exploit the popularity of AI tools like ChatGPT and Luma AI to lure unsuspecting users into interacting with malicious websites. These websites, often hosted on platforms like WordPress, are designed to boost their search engine rankings and increase the likelihood of users landing on them.
If a user engages with one of these AI-themed websites, a chain of JavaScript redirections is triggered, leading to the delivery of malware such as Vidar, Lumma, and Legion Loader. These campaigns involve browser fingerprinting to gather information like browser version, cookies, and user agent before redirecting users to websites hosting malware payloads.
The attack begins when a user visits an AI-themed website that has been optimized using Black Hat SEO techniques to rank high in search results for AI-related keywords. For instance, a search for “Luma AI blog” might lead a user to a malicious page disguised as legitimate content. Once on the site, malicious JavaScript collects browser data, encrypts it, and sends it to a controlled domain for further redirection.
The JavaScript embedded in these deceptive websites is hosted on reputable platforms like AWS CloudFront to appear legitimate. It checks for ad blockers in users’ browsers to ensure successful redirection to malware pages. The JavaScript also decodes configuration details needed for redirection, encrypts collected data for secure transmission, and performs various tasks to evade detection.
The malware campaigns observed in this scheme have delivered threats like Vidar Stealer, Lumma Stealer, and Legion Loader. These malware payloads are often concealed within large installer files to bypass security measures. The attackers use tactics like DLL sideloading and process hollowing to evade detection and deliver the malicious payloads.
ThreatLabz researchers have identified key indicators of compromise associated with this campaign, including malicious domains, password-protected ZIP archives, and command-and-control URLs. The analysis underscores the need for users to exercise caution when searching for AI-related content, as threat actors are leveraging SEO tactics to distribute malware.
Zscaler’s cloud security platform provides coverage against threats like Vidar, Lumma, and Legion Loader, detecting malicious activities at various levels. The platform’s multilayered approach helps identify and mitigate risks associated with these malware campaigns.
In conclusion, the use of Black Hat SEO to manipulate search engine results for malicious purposes highlights the evolving landscape of cyber threats. As threat actors exploit popular topics like AI to distribute malware, users and organizations must stay vigilant and adopt robust security measures to protect against such attacks.
📰 Related Articles
- SearchX Expands AI SEO Services for Businesses in Europe
- SEO Expert Launches AEO Knowledge Base for AI Search Success
- SEO Expert Greg Boser Debunks AI Search Myths
- SEO Evolution in AI Age: Key Strategies for Online Visibility
- How Google’s AI Overviews Impact Search SEO Strategies