Randy

It's been a bit since I last parsed out a SEO poisoning cluster. Here's a handy cluster of 623 domains. Each of them is a wildcard.

https://gist.github.com/rmceoin/beea16dc3ea1251851bc1f7e8ee7e9b7

Using these domains they each potentially have hundreds of thousands of results within Google.

A cluster is a set of sites that each point to others within that cluster. So, you just gotta grab one, look for links and follow the web to find them all. The fun part is this cluster is only M through P, so presumably only 4/26 of the total.

A quick sample of SSL certs shows these have been at it since around Sept 10th/13th.

Earlier in the year they seemed to like country code TLDs like .FR or .DE. Now they're all in with .COM.

#SEO_poisoning (is that a good hashtag for this?)

SEO poisoning sites

SEO poisoning sites. GitHub Gist: instantly share code, notes, and snippets.

Gist
Oct 5, 2023 at 10:25pmWeb
Show threadRandyOct 5, 2023
And just like before, if you click on a poisoned result you get to enjoy some robots before your malicious browser notifications inevitably arrive.
Show threadRandyOct 5, 2023

Well, I guess there are a couple other fine offerings. Some AI thing, of course. And a download with no description. The download ends up being something called "Chromstera Browser".

https://tria.ge/231005-2nnhlshg25/behavioral1

Behavioral Report

Have a look at the Hatching Triage automated malware analysis report for this sample, with a score of 8 out of 10.