Windows Servers are Taken Over by a “SEO Fraud-As-A-Service” Scam to Advertise Gambling Websites
Windows Servers are Taken Over by a “SEO Fraud-As-A-Service” Scam to Advertise Gambling Websites
According to analysts, a hacker collective that was previously unidentified and may have originated in China has hijacked at least 65 Windows servers throughout the globe in a fraudulent search engine optimization (SEO) scheme that is most likely intended to promote gambling websites.
Since at least August 2024, the group — dubbed GhostRedirector by the Slovak cybersecurity company ESET — has been active, mostly targeting servers in the US, Brazil, Peru, Thailand, and Vietnam. Numerous industries, including insurance, healthcare, retail, transportation, technology, and education, were among its casualties.
The attackers used Rungan and Gamshen, two backdoors that had not yet been published. While Gamshen is intended to affect Google search rankings by secretly boosting gambling websites, especially those aimed at Portuguese-speaking users, Rungan permits remote command execution.
Researchers called it a “SEO fraud-as-a-service” operation, saying that Gambhen likely tries to infiltrate as many websites as possible and take advantage of their reputation to push visitors to this third-party website.
Although Gamshen doesn’t spread malicious content or have an impact on normal users, ESET said that becoming involved in the scam can harm affected websites’ reputations by linking them to dubious SEO strategies.
Gamshen has deep access to traffic and is more difficult to detect because it is integrated directly into Microsoft’s Internet Information Services (IIS) web server. On the targeted systems, GhostRedirector also used public exploits and other tools to create privileged accounts that, if deleted, might be exploited to reclaim access or install further malware.
ESET determined that there was “medium confidence” that an organization with ties to China was responsible for the effort. Researchers from Cisco Talos discovered DragonRank, another China-affiliated scheme, last year, which similarly exploited IIS modules for SEO fraud.
ESET does not think the two operations are related, despite observing some resemblance in the targeted sectors and victim geographies.
“Rather than focusing on a particular group of entities, these were probably opportunistic attacks that took advantage of as many weak servers as possible,” the researchers continued.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
Chess.com Reports a Latest File Transfer App Data Breach
About Author
English