Security News > 2021 > April > Google Sites blight: Over 100,000 web pages for business form searches overrun with backdoor RATs

More than 100,000 web pages hosted by Google Sites are being used to trick netizens into opening business documents booby-trapped with a remote-access trojan that takes over victims' PCs and hands control to miscreants.

Infosec outfit eSentire on Tuesday said it has noted a wave of so-called search redirection shenanigans, in which people Googling for business forms and the like are shown links to web pages published via Google Sites - a Google-hosted web service - that offer a download of whatever materials they were looking for.

The Google Sites pages include common business terms like "Template," "Invoice," "Receipt," "Questionnaire," and "Resume," in order to convince Google's search algorithm that the pages are relevant for those searches.

Using the Google Search query below, which looks for the text label used in one of the download buttons that fetches a malicious executable, many of these booby-trapped pages could still be found at the time this story was filed.

Be advised, in case it's not obvious, that if you copy and paste this search string into your browser, you should not be clicking any download buttons encountered on any of the search results pages that Google returns.

The attack path involves a Google Sites page controlled by the attacker with an embedded download button that's served from an attacker-controlled host.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/04/14/google_sites_malware/