urlscan.io logo urlscan.io
SecurityTrails logo

www.deepwatch.com Open in urlscan Pro
2606:4700:10::6814:ca25  Public Scan

Back to summary
URL: https://www.deepwatch.com/labs/gootloader-poisoned-blogs-uncovered-by-deepwatchs-ati-team/
Submission: On September 26 via api from IN — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

This website is AudioEye enabled and is being optimized for accessibility. To
open the AudioEye Toolbar, press "shift + =". Some assistive technologies may
require the use of a passthrough function before this keystroke. For more
information, activate the button labeled “Explore your accessibility options”.

This website stores cookies on your computer. These cookies are used to collect
information about how you interact with our website and allow us to remember
you. We use this information in order to improve and customize your browsing
experience and for analytics and metrics about our visitors both on this website
and other media. To find out more about the cookies we use, see our Privacy
Policy.

If you decline, your information won’t be tracked when you visit this website. A
single cookie will be used in your browser to remember your preference not to be
tracked.

Accept Decline
Skip to content
 * Why Deepwatch?Open menu
   * Squad Delivery Model
   * Deepwatch Platform
   * Deepwatch Secure Score
   * Deepwatch Labs
 * SolutionsOpen menu
   * Managed Detection and Response (MDR)
     * MDR Enterprise
     * MDR Essentials
   * Managed Extended Detection Response (MXDR)
   * Endpoint Detection and Response (EDR)
   * Vulnerability Management (VM)
   * Firewall Management Solution
 * CompanyOpen menu
   * About
   * Leadership
   * Careers
   * Contact
 * PartnersOpen menu
   * Channel Partners
   * Technology Alliance Partners
 * ResourcesOpen menu
   * Resource Library
   * Blog
   * Case Studies
   * eBooks
   * Whitepapers
   * Datasheets
   * Video
   * Education Center
   * Newsroom
   * Events
 * Ready to Talk?


09.22.22




GOOTLOADER POISONED BLOGS UNCOVERED BY DEEPWATCH’S ATI TEAM

BY BEN NICHOLS,  ERIC FORD, 

Imagine a threat actor so determined to sound authentic, that they write
hundreds of blog posts just to get your attention. Now imagine the author (or
more than one) hosting those blogs to a legitimate site that translates them
into three different languages, then sends victims to a fake forum page with
“helpful” links to catch victims to a well-conceived trap.

Now imagine them boosting their search engine optimization results. In our
latest report from Deepwatch’s Adversary Tactics and Intelligence (ATI) group we
look at a technique where threat actors are compromising legitimate websites,
creating fake blog posts, and using overlays to display a fake forum page over
blog posts–all to snare government, legal, real estate, medical, and education
victims with highly-targeted content.


WHAT HAPPENED

In late August, Deepwatch’s Adversary Tactics and Intelligence (ATI) group
responded to a customer incident highly likely associated with Gootloader threat
actors using the search engine optimization (SEO) poisoning technique. 

Our findings suggest the campaign may have foreign intelligence service
influence through analysis of the blog post subjects. The threat actors used
blog post titles that an individual would search for whose organization may be
of interest to a foreign intelligence service e.g. “Confidentiality Agreement
for Interpreters.” The Threat Intel Team discovered the threat actors highly
likely created 192 blog posts on one site. 

The fake blog posts cover topics relevant to government, legal, healthcare, real
estate, and education. Several blog posts are related to business and real
estate transactions in US states like California, Washington, and Wisconsin;
while others cover topics relevant to Australia, Canada, New Zealand, the United
Kingdom, the United States, and other countries.

You can read how Deepwatch approaches cyber threat intelligence here.


WHY IT MATTERS

Threat actors are becoming more sophisticated, and putting in an unusual amount
of effort. Understanding how attacks like these work, allows you to consider
gaps in your security posture or prepare employees for clever phishing
techniques.

Read the Full Report


SUBSCRIBE TO THE DEEPWATCH INSIGHTS BLOG


POST NAVIGATION

Previous post

Cyber Intel Brief: Sept 8 – 14, 2022

Next post

Cyber Intel Brief: Sept 14 – 21, 2022

DENVER
OFFICE & SOC

7800 East Union Avenue
Suite 900
Denver, CO 80237 USA
855.303.3033

TAMPA
OFFICE & SOC

4030 W Boy Scout Blvd.
Suite 550
Tampa, FL 33607 USA
855.303.3033

info@deepwatch.com

WHY DEEPWATCH

 * Squad Delivery Model
 * Deepwatch Platform
 * Deepwatch Secure Score
 * Deepwatch Labs

SOLUTIONS

 * Managed Detection and Response (MDR)
 * MDR Essentials
 * MDR Enterprise
 * Endpoint Detection and Response (EDR)
 * Vulnerability Management (VM)
 * Firewall Management Solution

COMPANY

 * About Us
 * Leadership
 * Careers
 * Contact

RESOURCES

 * Resource Library
 * Insights Blog
 * Education Center
 * News
 * Events

PARTNERS

 * Channel Partners
 * Technology Alliance Partners

CONTACT

 * Let's Talk
 * Customer Login
 * Partner Login



© Copyright 2022 Deepwatch incorporated

Trust | Sitemap | Privacy Policy


Opens in new window
PDF Download
Word Download
Excel Download
PowerPoint Download
Document Download
Explore your accessibility options


close carousel