Search Engine Marketing Abuse With Look In Hospitality Area - Tomas Krasnican & Miroslav Horacek

All right. So after this very technically in-depth topic, we are going to introduce you into something that is a little bit more abstract and it is still a big issue. So why would this topic even matter that much to us? Well, it matters to us as security professionals, but it also matters to us because we need to protect the people that are close to us. And by that I mean the people that generate revenue into our products as well. So we will first introduce ourselves. So my name is Mira. I am from a company that provides software to hospitality industry called news. I work there as a product security engineer. Hi everyone, I'm Tomas. I'm

working as security engineer at Nobit. So at first we will dive into a topic that is kind of a little bit far from the main goal of this talk but let's dive into it nonetheless. So as you can see on the screen there is an application that application was published on the app store and that application was sponsored to appear on the top of the search bars. That application once you as a curious user of it will download it and go through KYC will do basically nothing. So you uninstall it, you go about your day, somewhere down the line, you realize that somebody is using your identity to get some loans or whatever, right? So you report it. You're like,

well, what's the worst that can happen right now? You Google for some other trading app because, you know, you need to sell those stocks during the the new presidency and you need to uh you need to click you will click on the first first ad that is on Google. Voila, you ended up in the same place. So, while we are not going to be focusing on other platforms, it is worth mentioning that those platforms specifically that have ads generally are going to maybe target monetization a little bit more than the safety of the usual user. So we are talking about Spotify, we are talking about Facebook, Instagram, all of those advertising platforms that basically care mostly about the

revenue. So let's focus on search uh engines because it's main topic of our talk. Here you can uh see uh team view uh example. You know uh downloading software is pretty wild west. Here user looks for the software and there is ad. You probably can tell by the URL that something is uh wrong here, right? There are many many other examples here. Uh tractors are focusing on Blender which is graphical designer software and before the leg before the vendors are legitimate site free malicious ads are shown. If you Yeah, there is another example with OBS Studio which is a video streaming platform. If victim clicks on the link, he is landed to the site which looks like legitimate

software site, right? Download software hoping they will maybe stream something tonight. Instead, they will end up with malware probably reinstalling their PC instead. Titors are focusing on technical users as well. This is example with Notepad++. Interestingly, for those of you who are lucky enough to see bottom of the of the screen, there is malicious uh ads displayed. Interesting thing is that if you look closely at the domain, malicious domain looks even more legit than than the real one. And again, you are landed on the page where you will end up with malware. Here interesting thing is that tractors are offering Linux and Mac uh variant of the notad which not poss which is not supported by

the vendor and this is another way how they are sourcing customers because chi uh customers are victims because chances are that some users will look for Mac or Linux variant of notepad++ because this is only the site offering such a software then they may end up here. Then we get into the more sophisticated ones. So most of us that use Mac, I I would say almost all of us will use homebrew. So uh just look at the top of the screen. You can see that there is something that very closely resembles the brew.sh domain. It looks like that on the ad, right? It even has a site map. Everything looks nice and clear. And then you click through it and you

end up on a brewi.sh sh with a curl command that will inevitably cause you to install some backdoor malware onto your computer anyway. Yeah. Do you remember the hype around DeepSk it gets like large media attention and everyone wants to try it maybe to learn what happened on Tmanian skin and things like that. Again you put the tool into the search bar end and it beside you have never never be there. So you cannot tell if it's legit or not. And here you will again end up with the malware and this these things we saw there is one common nom nominator one common thing that they have they they share together right so it's monetization and obviously those big

corporations as I was mentioning previously and all of those advertiser platforms are going to aim to maximize the profit in vein of actually making the user suffer er a little bit on the platforms themselves. So there has to be some rule in the universe that will cause it to backfire on them, right? Yeah. Imagine you are in some advertisement copyright environment. You are managing Google Ads campaign, right? You want to change something, twe something, do something. You need to log into account. Chances are chances chances are you will again search for Google ads dashboard because you don't remember URL right and there is first link which looks like Google ads platform and based on that you end up in

a place where the advertisers themselves supply the chain of attack with the accounts that are valid for advertising those other products those other uh softwares that we've seen previously and the number about of those ads is so staggering that if we wanted to go through them we wouldn't have a day we wouldn't be able to do it in a day. So this is this is such a big problem that Google is so unaware and just not trying to even do something about it that you know who knows where it goes next. Apart for being nice karmaki back back back to the Google if you think about it from attacker's perspective it's pretty pretty smart right because in this way

they are sourcing uh victims accounts so they are saving resources on you know creating their own going through verification process submitting passports maybe your passports right and and things like that also uh by this they are saving uh money because for their malicious campaigns they are using victims credits instead. Oh, sorry. And this leads us to the emergence of a business model, believe it or not, which is fishing as a service. So, in order to kind of get as big of a reach as possible, they are creating those ser as a service types offering, right? that basically has a very similar model to any other SAS. So you have your tiers and then you end up paying about on

average like $500 a month for something like this. This is also not the last time that you're going to be paying to the attackers or to the providers of that platform. Yeah, you may be wondering is this a typo? The thing is if you you know uh use CHGPD and use wording fishing instead of BH ising suddenly our all uh moral concern are are gone and you will get all you need and that's uh that's kind of getting us into the idea of how to actually operate uh with those platforms and how to even get in. So they are distributed from telegram groups and while there are so many of them it is kind of hard to understand uh how to get

into them. It is on the same level of uh getting into a signal group chat of highly highly rankings US government officials. And it basically allows you to then take that kit and assemble it in such a way that it's as easy as really getting a box out of IKEA and boom, you have a wardrobe. Yeah. Once you have your kit uh sources, you move to campaign configuration. You buy a new domain. By the way, who loves the buying domains? A lot of us. Yeah, directors do. Uh so so that then uh you will set up your campaign which is as easy as putting uh URL of the site you like to mimic you would like to clone into

self-service portal and boom within few minutes you have brand new clone of the of the site you are targeting to and as I said the business model doesn't end here right so once you actually get the data out of the victims be it credit card details all those uh those things that might be relevant for a further sale, you still can supply your or support your local provider. You basically pay them royalties on basis of uh the revenue that you're generating. And I think it's kind of a good idea to step away for a bit from that abstract layer and have a look at what the platform actually looks like. one of them. So at the very beginning

you would have let's say a super superbly targeted fishing when it comes to those providers like DHL whatever and I know that many of us receive messages about the pending package somewhere all the time right so those are the sites that would land you there are not very sophisticated but they do the job for the less techsavvy users but Maybe let's have a look at how it looks now. Yeah, here this is the screenshot from uh fishing platform where as said you will put your URL in and it will create clone of of the of the of the site. It's similar to uh note code platform you may be familiar with such as uh power power

app. It's pretty similar. It's no codes. It's easy to use. You don't need to have uh coding knowledge in order to use them. Only large difference is I would say that if you have some issues here, you will actually get help from the support. Yeah. And basically on on that previous screen you could have seen all of those components that are on the front end of the application. This software basically allows you to put your fragulent payment gateways in the place of a convenient one or a valid one. And then what else could you do, right? You launched your fishing campaigns on seven, eight different companies with a convenient way to have a multi-tenency application that allows

you to administrate from one single pane of glass. I'm pretty sure you can change the picture of administration interfaces you want to. Yeah. Uh there are many uh many uh features. Some of them are pretty advanced. One technique directors love to use is sophisticated cloaking. They leverage data such as uh geol location information, user agent, JavaScript, even sophisticated thing as HTTP accept language from the browser to hide uh hide uh malicious site from security researcher security scanner while still being accessing accessible to the victim. I remember one uh one uh story where from the customer CM we had information that customers is being targeting by the fishing on this particular domain name and we want to

apart from blocking it uh we want to report the domain to security vendors. So no one else would fall for the fish. But due to clocking mechanisms in in place, neither we nor security vendor scanners were errant to access the site to confirm our reporting. And then after you're all done, you get to report on everything that you've gathered, right? you have a convenient way to actually use those credentials, use those credit cards and maybe clone them, maybe create virtual credit cards that the vendor then puts into a burner phone and sells it. So just imagine that level of monetization that comes out of one simple thing that they are just recycling that content over and over and over again and they

are still lending a lot of money out of it. And I think it is also important to step back and understand the history of this prevalent uh methodology. So while we are not going to be mentioning stuff like you know uh the previously used techniques in 2016 with Adobe Flash because nobody probably uses it anymore. It's mostly about targeting those as a service platforms. So in order to do so, you have to understand that at the very beginning, you would have those DHL clones that are not very credible yet they're still gener generated a lot of revenue and it was lucrative to launch those campaigns for those people. So they ended up launching large scale

attacks which inevitably led to a consequence from well let's say the good guys. Yeah. In 2022, Microsoft researchers uncovered bulletproof link operations. It was the first time when like really large scape fishing platform as a service was uncovered offering more than 100 pre-built templates for the brands and sites you are familiar with such as Google, Microsoft, Facebook etc. Later uh in 2024 cyber security community was very like amazed by the features of new platform. they they uh that they saw it's called dark claw version two again even more sophisticated fishing aa service campaign more more templates more automation to higher cost customiz customization enabling thread actors to launch really large large scale campaign and while we are quite acquainted I

think all of us with kubretsky evil jinx for instance there is still a difference between those things right because this is a pie of software and they are offering a platform that is easy to jump into. So the barrier of entry is so much lower and the conventional ways that were you know the standard 5 10 years ago about uh having to MFA or basically anything that's not uh well that's fishable is right now going out of the windows because they can replay all of those credentials in real time. So basically they pivoted from being able to only harvest credentials to now being able to replay those attacks in real time and then hook some automation uh to

the credential obtaining process. So who knows where we go next. And then this and all of these things are about trust, right? You trust your search provider that they will not end up showing you malicious content. We might not. The users do and the users of our platforms do. And it is also important to understand that they are going to be targeting those industries that work with that model of economy of trust because that model is just so convenient for the user to just kick back and you know not care about anything else that it is easy to exploit those patterns. So where better to start than retail? Let's have a look at the problem from different

perspective. Uh not while ago uh customer turned to turned to us with the problem that some directors are mimicking their site. They they are retailers. Uh they are selling goods for the customers and and the user user flow would be user wants to buy something. So again he will start with Google search looking for for the brand name because everyone is uh that way and in this particular customer customer they use custom TLD. Nevertheless, customer Google for the for the retailer, clicked on the first uh first link, right? End it in their eop uh go through purchase uh process order a goods and on the payment uh gateway uh part they will scheme their credentials. I think in the

this particular case since they are were targeting check based uh victims they also offer way to pay through your bank where they will try to uh try to you know steal money from your from your bank account and this is just a convenient way right you're shopping for a lastm minute gift again and then you end up waiting for that package and then a bank calls you that your credit card is being used in Barus. So yeah, things like that sadly still happen. Yeah, let's uh add some emotions and psychology to the effect. Let's imagine you are traveling somewhere. How many of you are were staying at hotel last night? By the way, a lot of you, right?

Traveling at at such is pretty stressful for many u many people. You are traveling often to destinations you you don't know. And imagine you are sitting on the plane 20 minutes before plane is taking off looking forward to be there to you know checking at your hotel when your phone vibrates and you see a WhatsApp message from your hotel saying well there there was some issue with your booking you are checking in you are expecting to check in tonight and please fix it as s as fast as possible you have I don't know 15 minutes to to fix it what would you This is another example of uh using uh fishing email instead. And this is what

particularly for me it's a little bit closer to home because as I've mentioned I work in a company that is providing software to hotels right so it wasn't that long ago that we were facing similar attack. The pathway is still the same. It is just a very generic targeting of the brand itself. So imagine our hotel user just goes to Google search looks for our login. I don't blame them honestly because I couldn't uh possibly get where to download brew you know at the first glance. So I would Google it myself. And then after clicking on this ad that looks seemingly like appnews.com they end up on a typo squatted domain that you know in the in

the search it looked like an targeted ad that was targeted towards our product but in the end they end up submitting the credentials and everything else to the attacker and in order to understand the modus operandi for them it is it is convenient and to go through the attack chain. So at the very beginning you would be looking or they would be looking at the thread actors into pathways to actually gather some information about your industry. Let's say when do you target ads, where do you target ads, what is the industry specific working hours, peak hours. So they can understand when to launch those campaigns and get as much information out of them before they

get taken down. Which by the way, in case of a domain takedown, it doesn't take that long as with Google because you submit a complaint to Google, you will get an email back in 4 days saying that there was nothing wrong with that ad even though it was blatantly targeting something else. Then you get into a position where you as a threat actor get to set up that platform. As we mentioned previously, it is quite easy. So easy that you just put a URL into into that software and it will generate everything. And again, Power App Simulator technically and yeah, you modify it to your liking. You get the payment gateway there or the credit credential harvester there and

you go on. Yeah. Once your brand new site is set up, you began begin with optimization and tractors are very good at sale. They are so good that even some seasoned e-commerce pros would be amazed by their by their skill. This uh sale optimization elevates site ranking for ranking for these specific keywords to the near to the top of the search or to the top. And once site is optimized, it's basically trap for the users. Using this specific keywords, you are luring users to your site mimic trying them to convince to share with with you your credentials or download mware or ideally bought. And this leads to the same pathway again money. So once all of this

is done they moneti monetize the data they launch their campaigns that would target the customers of the customers so on and so forth and then you end up in a place where you understand that the funnel is actually looking something like this. So while the progression is kind kind of linear at the beginning they are still learning from their mistakes and they are still kind of trying to play cat and mouse with us. So just looking at this based on the amount of money they get they understand that they uh for instance got taken down way too quickly. So they will start again just uh restrict listing the domains and the IP addresses of those people that

were actually behind those takedowns. Then this leads to an optimization of the uh SEO again because maybe they missed a point in the time you know they are trying to target specific events as well. If you remember the Olympic games during that time it was just insane. So they are very aware of what's happening in the world. Yeah. Let's have a look at uh conversion lights and rates and maybe economic side of the of the things for a multi-chain attack. journey usually begins with malicious at placement where thanks to optimized sale uh tractors has as high success rate click rate for their malicious uh malicious uh site as 65% compared to any other at you or anyone try to try to run

once at the scene user click on fake page and submits credentials or session is now imagine that tractors gain access to customer CRM for instance from the credential submission they are pretty efficient they start start to abuse platform as much as platform allows them would like to export your customers here you go we like to place some take malicious order here you go or some platforms allow you to even communicate with your customers so you can p customers of of of the victim on their behalf half using their own tooling right and results studies suggest that this successful attacks are yielding return of capital employ. This measuring return creates powerful economics incentive for individuals who see these attacks as

high rewards investment. Just mind you that that was just for the people that actually buy those kits, right? There is no feasible way to kind of understand what the return would be for the people who actually provide those platforms. Yeah. So now what where to start? Most of us are have been for long familiar with you know protecting your environment your employees by using CMS for Microsoft 365 etc. We need to expand this protection for for our platforms for our customers and and customers of our customers and our users. But this is still where the issue kind of lays, right? You would say it has an easy solution. You can just ban the ads in the computers of your employees. Can

you do that for your customers? you don't usually have access that close into the customer's networks and their uh ways of working, right? So this is also something that you need to tackle as a company. So obviously if your user or if your customer falls for fishing, it is their problem most likely, right? But you also need to understand that you need to make so many things that just happen to help the customer not fall for it. So I wouldn't blame it entirely on the customer. Never because it it would lead to churn honestly and it needs to put you into the light of being a partner of that customer not just the random provider. Yeah, exactly. You need

to bring customer into the process. Most of most of us are used to things like regular security awareness training or regular pitching campaigns provide by our customer but our employees employer customers doesn't have this tooling in place. So by communicate communication you need to explain to them why it's important to pay attention to central things and bringing into process basically and for you as security professional and I think that this has been a topic or so many thoughts at least a glimpse of it was there always it is important to stay close to what your product is doing. It is important to stay close to the table where the decisions are being made. And that kind

of leads me to my favorite topic which is security as a product partner because if you think about it and you go through your career, have you worked at a company that didn't take security seriously? I think that most of us have, right? I see a lot of them. Yeah. So uh in order to evade that it is not only about the stakeholders not uh trying to give you buy in it's about you not being able to somehow supply the right reasons for that. Right? So making sure that you are uh that you are as open to conflict in a constructive way and you're not trying to solve these solve these problems with obscure solutions that would hinder user

experience or generally any experience those things will lead you to be in a better better position when it comes to rest of the engineering uh groups. So just by that definition of launching the security awareness group like security champions which helps a ton and you would be surprised how many people care is getting you closer to that and if you are not able to put that foot into the door just try with uh try something like you know looking at an architecture diagram of a feature that has been already built and do a light threat model. Talk to the people that you know it is all about networking. when you work with security, it's more

about working with people. So understanding that is a pathway to what we launched as uh product. Let's talk. So this partnership helps you to stay close to issues like inconsistent logging or building anomaly detection in the product. You know all of these things it is highly important to know what's happening under the table. So in the case of SEO marketing in particular, let's focus on the things that are out in the internet before you even start talking to the engineers. Right? So just imagining that you need to be aware of the surroundings of your product and be aware of where the threat might be coming from. monitoring newly issued TLDDS, monitoring newly uh issued DNS records on park domains that might

target you eventually and working proactively on malicious domain takedown either internally or with the vendor is very feasible because by that definition you are already creating friction for the attackers. Important part is anomaly detection. You have your data. You need to leverage your data and algorithms to tell you what's what's suspicious, what where the anomalies are. This could be as simple as flagging at flagging out that user has logged in from country that he never logged before or doing some things like impossible f etc. Those are good places to to start. And you know, while you might say that that anomaly detection is already built into a lot of products that you use, it's not always the case with our

products that we build ourselves, right? But even then, just to further prove your idea, there are so many industry written uh threat intelligence groups even though they are mostly targeted at IT procurement and all of these things, they still help a lot. you can make sure that you are sharing the IoC's with them as well and making sure that uh you are on top of the game when it comes to vendor selection because you will not burn out that much money and that much time with choosing the right tools for the job or maybe building them on your own. And while you are at this stage, you can also make sure to give your customers some sort of a

way to give you feedback on where the fraud is. you can essentially use them as your first reporting line, right? So if you have an abuse box that they are acquainted with, you are kind of helping yourself monitor digital risk, although usually it will be too late, but you are also by that indefinitely building a huge case for a more effective domain takedown. It's not going to be only about domain takedown. you are going to be able to take down multiple parts of the infrastructure if you just consider the WhatsApp messages that we were showing. You know, just putting it into a puzzle together and reporting it as a bulk will lend you with a much better

result. Yeah, those are are noble ideas, right? But building product sock a product sock is pretty hard. There are no bullet silver bullet solution. There is no one size fits all template. You need to you know spend resources on custom tailoring things or your platform. For instance, you you know your platform if user logs into CRM, it's uncommon to export all the customers as the first step is he's doing right. Yeah. Automation is another important uh important aspect of product life. talk thing we haven't uh mentioned or articulate is that these targeting campaigns are happening extremely fast. The time window between at at placement and you be user being pitched and at disappears can can be as short as 20 30

minutes everything is happening extremely fast. If you are not responding to incidents in automatic way in the moment you are responding to incident attack is most likely it's it's late already and yeah nowadays uh yesterday we heard about AI less frequently than than we thought we will we will heard I don't know if the hype is over but AI can help you leverage the the data the signals you have to to respond to them more effic efficiently. I remember another customer where by leveraging things like uh AI we were able to decrease workload on on their L1 sock analytics by 90% or so and then you get into the idea again of building that internal structure and

we know that performance-based or you know bug based incidents tend to be resolved quite quickly. When it comes to longer running incidents in security, it is pretty hard to get a task force for it. It is pretty hard to get buy in. So by proactively looking at it from the perspective of the previous parts where you are trying to basically build your internal network and get the buy in from the stakeholders like the engineering vies and such by that and showing the value once you're starting but also build an internal network that is able to help you a lot with security incidents and it drives initiatives like defense in depth and all of these things

into a place where you are just able to nicely tie those things together. Yeah, topic is very interesting for security consultants. I'm not saying this only because I have incentive to do so, but uh it's always useful to have someone at your hand who has whose experience you can you can leverage to to build solutions avoiding that end that ends and things like that. And this also puts us into a direction of trying to build the most friction as possible for the attackers. Social engineering is not going to stop. So you can already think about the attacker already being in. How do you make it, you know, harder for them to actually execute their actions even if

there is none? How do you leverage that anomaly detection? How do you leverage that product sock? Are you going to leverage it by trying to hit obscure pathways to eliminate it uh eliminate the threat by 100%? No. The only way to eliminate it by 100% is to just go out of business, right? And if you're not in the partnership phase with the customer, you might as well. So, understanding that pathway is super important. and making sure that you are maybe putting in just a few branches here and there and then by that breaking that pathway for a clearcut exfiltration of data or credit card fraud to the c to the attackers is hugely important because there is

essentially no silver bullet. Yeah, that's right. We love the solution that solutions that will solve all of the problems we we had. I remember discussion with another customer when they were trying to onboard a user to to MFA. The argument was that I don't know 10% of the users doesn't even have smartphone. So instead of rolling the rest and figuring out later they were they spent months by finding ideal solution and let's stick with uh with MFA example you may remember the the the funnel. Imagine the situ a scenario where you successfully onboard only 20% of your uh of your users to pitch proof uh pitch proof MFA the impact of on economic site on trade actors uh

traextor side is during the lowerure rate is dropped by 60% which is huge impact on attackers revenue and yeah at this point if If we understand how to partner up, how to build those things, we are on a pathway to be more proactive when it comes to further and futurebased let's say social engineering practices into uh that lend the customers into the hands of the attackers and by that you are already halfway there because you are seen as a strong partner. Yeah, remember fishing aren't only emails and build product sock because at the end building solutions like that you are signaling to the world that you care about your users your customers security and in the end

companies who invest who are willing to invest in their user security have some competitive advant advantage and yeah this is where our story ends but it doesn't end there. It doesn't end there for the industry. So if you wanted to look at the resources that we were using or generally just connect with us, please use either the tiny tiny URL or the QR code. And I would very much like you like to thank you for your attention. [Music]

And also we have some time. So if somebody would have any questions please just ah I see a hand there. Do we have a microphone

or doesn't seem like it. Can you shout?

[Music] How come? Right. So, uh that is a very good question. So, Google allows you to look to use click trackers. If you're using click trackers in the tracking campaign field in the Google ad issuance, you are able to submit the ad at the very beginning with the legitimate site and then once that's verified, you just go back to the click tracker click tracker software and you replace that. Basically you are setting a campaign on the your target victim domain using uh click tracker or link tracker which you have under the control and when you you want to redirect your victims to your site you are changing the the parameters. This is also like place where you can implement cloaking

redirecting only selected set of your victims to your fishing sign and keeping the rest on on the on the real one. Yeah, this is exactly with with because ad looks legit, right? Because the URL on the ad looks like legit legit site because it is but the chain of redirects lends you to to um fake one. Yeah. Oh, there is one more please. That that's a great question. Yeah. Uh legal response to Google with uh this particular case. I I will tell you how it works, right? So, you submit a takedown of an ad. 4 days later, you you receive an ad. Exactly. This is exactly what it depicts. You receive an email back that they found nothing fragilent

with it because the window of the advertiser was like 20 minutes. They are not really tracking those changes in the click-through email or the clickth through link because that link is not under their jurisdiction. And then if you want to dispute it, you can do it in uh in a way that you are basically submitting a lawsuit against them and that's it. And uh we've had we've had some experience with talking to Google directly. They don't care. Nope. No. It's just a sad place that we live in because again money talks. And another aspect is that those things are happening extremely fast. So once you have your like malicious ad in the moment you are responding it's late

already because chances are that some users there were already saw the art or get credentials stolen. Fantastic. Do we have anyone else? Doesn't seem like it. So again thank you very much. Thank you and it's been a pleasure.