According to a blog post by Cisco-owned Talos, the Zeus Panda malware essentially “poisons” Google search results to push fake bank-related results to the top of a key word search. Then, the unwary user, looking for quick answers to a search related to their bank, is fooled into clicking on malicious links.
The malware utilizes search engine optimization (SEO) “to make their malicious links more prevalent in the search results…[which] will enable the attacker to quickly obtain credentials, banking and credit card information,” Talos said.
"[It's] a clever way...to serve malicious files," a spokesperson for the internet security firm Avast told Fox News. "Although it’s not completely new, it’s rarely seen as a mechanism of spreading malware such as banking Trojans."
Computer security website Bleeping Computer covered the malware in a recent post.
"This group has taken a novel approach, never before seen in the distribution of banking Trojans,” Bleeping Computer wrote.
The ultimate goal is to trick you into going to the hacked site, then redirecting you until you reach a site offering a Microsoft Word document for download, according to Talos.
“Ironically we have observed the same redirection system and associated infrastructure used to direct victims to tech support and fake [anti-virus] scams," Talos added.
So far, the malware seems to be targeting customers in Sweden, India, Australia and Saudi Arabia. But that’s never stopped successful malware from spreading to other countries.
How to protect yourself
Malware often needs you to proactively click on links and buttons. In this case when the Microsoft Word document is opened, it prompts pop-ups such as “Enable Editing,” “Enable Content” and "Macros have been disabled." If you do enable the macro, an executable download will infect your system.
The biggest red flag you’ll get is from Microsoft itself. By default, macros are disabled. And Microsoft wants you to keep it that way to protect you from documents coming from untrusted sources.
Avast told Fox News that it is currently "blocking most of these sites, [which] prevents users from being infected."
“Defending against this attack requires not only vigilance by companies to make sure the sites and servers are compromised, but that consumers pay attention to what they are clicking on and not enabling macros or open unknown attachments,” according to a post at SC Media, a cybersecurity website.