Google search results poisoned by banking trojan attackers' clever SEO

Criminals are using Google search to target bank customers with a nasty banking trojan.
Written by Liam Tung, Contributing Writer on

A group of attackers is using a combination of Google search-engine optimization (SEO) for banking-related keywords, compromised websites, and malicious Word macros to infect users with the Zeus Panda bank credential stealer.

Attackers have used SEO poisoning in the past to spread malware, but this group is using the technique in a particularly crafty manner to ensure malicious links are seen by people who regularly use a specific bank, essentially profiling victims before infection.

Researchers at Cisco's Talos security team discovered the campaign and have highlighted the keyword searches being targeted.

The terms suggest they're targeting customers of Nordea Sweden, the State Bank of India, India's Bank of Barodia and Axis Bank, the Commonwealth Bank of Australia, and Saudi Arabia's Al Rajhi Bank. They're also targeting users who are searching for details about the SWIFT banking network.

Notably, once a system is infected, the malware won't activate if it detects a keyboard's mapping is Russian, Belarusian, Kazak, and Ukrainian. Hackers often avoid targeting users from the jurisdiction in which they operate to avoid attracting attention from local law enforcement.

The attackers first compromised a series of genuine business websites, and then optimized them to appear at the top of organic Google search results for certain search terms.

According to Cisco, the attackers were able to get their poisoned results displayed several times on page one of Google's Search Engine Results Page.

The search terms included:

  • "nordea sweden bank account number"
  • "al rajhi bank working hours during ramadan"
  • "how many digits in karur vysya bank account number"
  • "free online books for bank clerk exam"
  • "how to cancel a cheque commonwealth bank"
  • "salary slip format in excel with formula free download"
  • "bank of baroda account balance check"
  • "bank guarantee format mt760"
  • "free online books for bank clerk exam"
  • "sbi bank recurring deposit form"
  • "axis bank mobile banking download link"

If a victim visits the compromised site, the page uses JavaScript to trigger a series of redirects that eventually downloads a malicious Word document.

From here, the attackers rely on social engineering to trick the user to enable macro code to run. Macros are disabled by default and Microsoft recommends it's kept that way, in particular for documents from untrusted sources, such as the internet.

When the Word document is opened it displays the message: "To view this content, please click 'Enable Editing' from the yellow bar and then click 'Enable Content'".

This instruction probably refers to the yellow security warning Office displays when it detects a file with macros in it. The warning states that "Macros have been disabled" next to an "Enable Content" button.

If the user does enable it, the malicious macro will download an executable that infects the system with Zeus Panda.


Microsoft recommends you don't enable macros in Word, in particular for documents from untrusted sources.

Image: Talos, Cisco

Previous and related coverage

IT leader's guide to the threat of fileless malware [Tech Pro Research]

This ebook looks at what it is, how it could affect your organization, and ways you can protect against infections, reduce exposure, and prevent the damage from spreading to other networked systems.

CoreBot banking trojan malware returns after two-year break

Malware steals login details of online banking customers of TD, Des-Jardins, RBC, Scotia Bank, and Banque National in Canada.

This Android banking malware steals data by exploiting smartphone accessibility services

The notorious Svpeng malware takes advantage of an Android function designed to help people with disabilities use their phone.

Read more about malware

Editorial standards