Malware being pushed to businesses by search engines remains a pervasive threat

Search engines pushing malware to users continue to be one of the most pervasive cyber security threats facing organizations around the world.

Netskope’s 2022 Cloud and Threat report found that nearly 10% of all malware downloads in Q1 2022 were referred from search engines. 

Downloads of malicious software “mostly resulted” from weaponized data voids, or a combination of search terms that specifically appealed to business web users, the study found. 

Data voids occur when there is a lack of clearcut information available on search terms found in Google. Netskope said this means that content matching certain terms appears “very high in search results” - which in turn appeals to threat actors targeting certain users. 

The research revealed that threat actors are increasingly relying on malicious web content to target users by developing finely-catered websites spanning a range of categories, such as business, marketing, technology, education, and retail. 

These websites are often developed and populated in a patient manner by attackers to ensure they appear legitimate and dupe unknowing users. 

“Attackers have been populating their websites with enough content to make them seem legitimate, and only using them to host malicious content after they have been around long enough to blend in,” the report stated. 

“They have also been abusing free hosting services and compromising existing websites to deliver malicious content.”

Netskope’s findings on malvertising align with previous research into this attack method, which has surged in popularity among threat actors in recent months. 

An investigation by Bitwarden in January found that the volume of fake ads promoting malicious software and websites impersonating popular brands has increased markedly over the last year.  

Similar research from HP Wolf Security’s threat research division observed a surge in malvertising across 2022. 

In a blog post in January, the security firm warned that businesses were facing a significant volume of malicious websites aimed at compromising user accounts and targeting operations. 

“In the last two months, we’ve seen a significant increase in malware distributed through malvertising, with multiple threat actors currently using this technique,” researchers said.

The rise of malvertising has reached such a point in the last 12 months that researchers have raised questions over Google’s handling of the issue.

In a January Twitter thread, security researcher Will Dormann questioned why VirusTotal, which is owned by Google, was not being used to automatically examine sponsored links for malware. 

Dormann’s criticism followed an incident in which a popular crypto influencer fell victim to a malicious OBS link promoted in Google Search results. 

Social engineering risks still acute

Malvertising represents “just one of many” social engineering techniques frequently employed by threat actors, the Netskope study warned. 

In addition to leveraging search engines, attackers still focus heavily on targeting users via email platforms, collaboration apps, and chat applications to dupe victims. 

The study noted that the two most prevalent forms of malware still harnessed by attackers include Trojans, which accounted for 60% of all malware downloads in Q1 2022, and phishing downloads, which accounted for 13% of all incidents.

“Phishing scams, credit card skimmers, exploit kits, and other malicious web content continued to rise in 2022,” the report stated. 

“Compromised sites, sites created using free hosting services, and fake websites hosting seemingly legitimate content have helped attackers disguise malicious web content, making it difficult to filter malicious content using URL categorization alone.”

“The rise in cloud malware delivery and malicious web content underscores the importance of inspecting all content, from all destinations, for both web and cloud.”

Cloud apps placing users at risk 

Malware delivery via cloud applications remained a key point of concern, the study found. 

Over the last year, cloud malware delivery increased significantly, with malware downloads occurring from more than 400 cloud apps. 

Microsoft OneDrive remained the most popular weapon of choice for threat actors in this regard. 

However, Netskope observed a marked increase in the popularity of Google Cloud Storage, which saw “significant increase in usage as it gained popularity for object hosting across the web”. 

To mitigate rising malware threats, Netskope recommended that organizations deploy “multi-layered, inline threat protection” for cloud and web traffic.

In doing this, businesses can prevent inbound and outbound malware communications.

Similarly, it advised implementing “real-time coaching” for users to ensure safer app alternatives and to monitor unusual activity.