Cybercriminals now using fake forums to trick victims into downloading malware

Threat actors are using a new infection method dubbed ‘Gootloader’ to trick users looking for advice, leading them to bogus forums with links to download malware instead, warns cybersecurity firm. — vector by Tartila/

Taking advantage of people looking for advice online, cybercriminals are now setting up traps in the form of fake forums, research reveals.

The study by cybersecurity firm Sophos explains that criminals would manipulate search engine optimisation (SEO) so that when someone types a question, hacked websites appear among the top results.

The criminals would earlier hack into legitimate websites and subtly alter the content, enabling it to show different content to different visitors.

Sophos threat research director Gabor Szappanos said the content that users see depends on their country location. For instance, if they are from a country that is not a target, they are shown benign fake web content and nothing happens.

However, if the user is from one of the targeted countries, they are shown a page featuring a fake discussion forum on whatever topic was queried, using the same terms they typed into the search engine.

Szappanos warned that the fake discussion forum would have a post from someone claiming to be a site administrator, with a comment prompting visitors to download a link. The link is a malicious file, and if downloaded will start the next stage of infection.

Sophos has named the infection method Gootloader, reflecting how it loads Gootkit financial malware, which in turn paves a way for other malware, including ransomware.

He said Gootloader is currently delivering Kronos financial malware in Germany, plus a post-exploitation tool called Cobalt Strike in the United States and South Korea. Earlier operations also targeted France.

“The developers behind Gootkit appear to have shifted resources from delivering just their own financial malware to steal credentials to creating a stealthy, complex delivery platform for all kinds of payloads,” said Szappanos.

He added that Gootloader’s creators are using a number of social engineering tricks that can fool even technically skilled IT users.

He said there are a few warning signs for users to look out for, such as search results that point to websites that have no logical connection to the advice they appear to offer, which display advice or download links that precisely match the search terms used in the initial question.

Szappanos suggested Windows users to turn off the “Hide Extensions for Known File Types” view setting in the Windows file explorer, which would enable users to see that the .zip download delivered by the attackers contains a file with a .js extension

Alternately, users can install script blockers like NoScript for Firefox, which would prevent the hacked web page from appearing in the first place.

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 46
Cxense type: free
User access status: 3

Next In Tech News

Two die in driverless Tesla incident – where are the regulators?
Top online brokerage lures young Japanese with zero-fee trading
ASML first quarter net profit beats expectations at 1.33 billion euros
Worldline reports decline in Q1 sales on health curbs
Ericsson core profit beats forecast, patent fight casts shadow
Internet, the thorn in the side of Cuba’s one party state
Greenpeace chides Alibaba on energy as China tech gets greener
Report: Discord abandons Microsoft acquisition talks
Apple launches redesigned iMac desktop with colours and custom chip, priced from RM5,599
SoftBank Vision Fund seen posting record earnings on Coupang

Stories You'll Enjoy