What they do in the ShadowSEO: An Underground SEO from Russia

XVigil discovered a threat actor advertising the services for search engine optimization (SEO) and website ranking under the name of ‘Shadow SEO’, on a cybercrime forum.
Updated on
May 22, 2023
Published on
July 20, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
 
Category: Adversary Intelligence Industry: Multiple Country: Global Source*: E4

Executive Summary

THREAT IMPACT MITIGATION
  • SEO and website ranking services advertised for sale.
  • Services for identity reinvention are also available.
  • Increased phishing sites and impersonation attempts.
  • Possibility of nefarious activities like blackmailing, identity theft, etc.
  • Monitor unusual traffic on mirror/clone sites.
  • Identify and report phishing domains.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising the services for search engine optimization (SEO) and website ranking under the name of ‘Shadow SEO’, on a cybercrime forum.
  • These services can be used by phishing websites to rank highly in search results, make themselves seem more credible to victims, and collect sensitive data.
  • Similar tactics have previously been observed in phishing campaigns against companies such as Ola Electric and in scam campaigns such as the Aadhar Printing Scams.
[caption id="attachment_20047" align="aligncenter" width="1317"]The crux of the threat actor’s post on the forum The crux of the threat actor’s post on the forum[/caption]  

Information from OSINT

  • SEO services are offered primarily for Google and Yandex search engines.
  • CloudSEK’s researchers found the threat group’s PR site which is currently not operational.
  • Actor is based in Russia and goes by the pseudonym "Dark Committee."

Services Offered by the Actor

  • The complete list of services advertised on the website is shown in the image below.
[caption id="attachment_20048" align="aligncenter" width="1447"]Complete list of services advertised by the actor on their website Complete list of services advertised by the actor on their website[/caption]  
  • The group is offering the following additional services:
    • Service to send out 5,000 spam emails on a daily basis
    • Website installation service to work with Hypothetical Reference Digital Path (HRDP) and HVNC (Hidden Virtual Network Computing) technologies
  • For those who want to entirely change their identities in order to emigrate from the country or for other illegal purposes, the group also offers the following services:
    • Online services - developing a new identity for online purchases
    • Offline services - creating a new identity with the full package of accompanying documents that will be visible across all existing bases. It will be possible to register immovable and movable property on the new identity.

Threat Actor Activity & Rating

Threat Actor Profiling
Active since June 2022
Reputation Low (Few complaints and concerns against threat actor on the forum)
Current Status Active
History Not interested in any one-time collaboration attempts and previously involved in compromising entities in the USA, Germany, and Australia.
Point of Contact Jabber and Vipole
Rating E4 (E: Unreliable 4: Doubtful)

Impact and Mitigation

Impact Mitigation
  • The SEO services can be exploited for improved phishing sites that help cyber criminals exfiltrate sensitive information from unsuspecting victims.
  • Threat actors can use the harvested information to sign up for documents, and to impersonate the compromised victim.
  • Compromised information can be leveraged for account signups and email phishing.
  • Monitor for unusual traffic on mirror/clone sites of prominent institutions.
  • It is recommended to identify and report domains impersonating a company’s name, offerings, and trademarks.
  • Monitor for suspicious logins on platforms, where breached credentials were used.
  • Create awareness amongst the common man to scrutinize and correctly differentiate an authentic website from its phishing counterpart.

References

Appendix

[caption id="attachment_20049" align="aligncenter" width="1432"]Domain registration information of the PR website, indicating that the domain is fresh Domain registration information of the PR website, indicating that the domain is fresh[/caption]  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations