| Category:
Adversary Intelligence |
Industry:
Multiple |
Country:
Global |
Source*:
E4 |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- SEO and website ranking services advertised for sale.
- Services for identity reinvention are also available.
|
- Increased phishing sites and impersonation attempts.
- Possibility of nefarious activities like blackmailing, identity theft, etc.
|
- Monitor unusual traffic on mirror/clone sites.
- Identify and report phishing domains.
|
Analysis and Attribution
Information from the Post
- CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising the services for search engine optimization (SEO) and website ranking under the name of ‘Shadow SEO’, on a cybercrime forum.
- These services can be used by phishing websites to rank highly in search results, make themselves seem more credible to victims, and collect sensitive data.
- Similar tactics have previously been observed in phishing campaigns against companies such as Ola Electric and in scam campaigns such as the Aadhar Printing Scams.
[caption id="attachment_20047" align="aligncenter" width="1317"]
The crux of the threat actor’s post on the forum[/caption]
Information from OSINT
- SEO services are offered primarily for Google and Yandex search engines.
- CloudSEK’s researchers found the threat group’s PR site which is currently not operational.
- Actor is based in Russia and goes by the pseudonym "Dark Committee."
Services Offered by the Actor
- The complete list of services advertised on the website is shown in the image below.
[caption id="attachment_20048" align="aligncenter" width="1447"]
Complete list of services advertised by the actor on their website[/caption]
- The group is offering the following additional services:
- Service to send out 5,000 spam emails on a daily basis
- Website installation service to work with Hypothetical Reference Digital Path (HRDP) and HVNC (Hidden Virtual Network Computing) technologies
- For those who want to entirely change their identities in order to emigrate from the country or for other illegal purposes, the group also offers the following services:
- Online services - developing a new identity for online purchases
- Offline services - creating a new identity with the full package of accompanying documents that will be visible across all existing bases. It will be possible to register immovable and movable property on the new identity.
Threat Actor Activity & Rating
| Threat Actor Profiling |
| Active since |
June 2022 |
| Reputation |
Low (Few complaints and concerns against threat actor on the forum) |
| Current Status |
Active |
| History |
Not interested in any one-time collaboration attempts and previously involved in compromising entities in the USA, Germany, and Australia. |
| Point of Contact |
Jabber and Vipole |
| Rating |
E4 (E: Unreliable 4: Doubtful) |
Impact and Mitigation
| Impact |
Mitigation |
- The SEO services can be exploited for improved phishing sites that help cyber criminals exfiltrate sensitive information from unsuspecting victims.
- Threat actors can use the harvested information to sign up for documents, and to impersonate the compromised victim.
- Compromised information can be leveraged for account signups and email phishing.
|
- Monitor for unusual traffic on mirror/clone sites of prominent institutions.
- It is recommended to identify and report domains impersonating a company’s name, offerings, and trademarks.
- Monitor for suspicious logins on platforms, where breached credentials were used.
- Create awareness amongst the common man to scrutinize and correctly differentiate an authentic website from its phishing counterpart.
|
References
Appendix
[caption id="attachment_20049" align="aligncenter" width="1432"]
Domain registration information of the PR website, indicating that the domain is fresh[/caption]
