Many people wonder why websites, even very small ones such as personal blogs, ever get hacked. While there are many possible reasons why websites get hacked, it usually comes down to monetary gain.

Case in point, online crooks are abusing Google’s featured snippets via compromised websites that redirect to bogus online stores. A featured snippet is triggered when a user types in a question via a standard search. Google will display a block with a summary of the answer and a link to the site, on top of the regular search results.

Because of this prominent placement, Blackhat SEO miscreants are extremely interested in featured snippets as they can capture a large amount of traffic and redirect it to any site of their choosing. In this particular case, a hacked Hungarian sports site (which has nothing to do with software or license keys) is used to game Google’s algorithm which programmatically determines that a page contains a likely answer to the user’s question.

People who click on the link will be redirected to cheapmicrosoftkey[.]com a site that offers various license keys for Microsoft products at ‘discounted’ prices. Buying from such dubious online shops is never a good idea as you might actually purchase stolen merchandise, or worse, get completely scammed.

Overview:

flow_snippet

Ransomware

In an added twisted, if you visited the Hungarian website directly, you would be redirected to the Neutrino exploit kit and get infected with the CrypMIC ransomware. This is a good example of the multiple ways criminals can monetize a hacked site. It is quite likely in this case that the site was hacked several different times in unrelated automated attacks, perhaps even via the same vulnerability.

Fiddler

While an individual compromised website may not generate a lot of traffic on its own, it’s simply a numbers game for criminals who can control tens of thousands of them and update their payload on demand.

If you are a website owner, remember that it is your responsibility to keep your software patched and secure, as you can unwillingly participate in online scams and attacks. Failure to fix your infected website can lead to getting blacklisted by popular search engines and browsers, a situation that can be painful to recover from.

As an end user, beware of online deals that sound too good to be true. This example is particularly tricky as people would be inclined to trust their search engine for showing them the answer to their question.

We have reported this particular abuse to the Google team.

Indicators of Compromise

Fraudulent domains:

frevvy[.]com
keyonsale[.]com
ecbrecords[.]com
ftp[.]neumediainc[.]com
buykeyonline[.]com
onlinekeyshop[.]com
windows7-8key[.]com
genuinekeyshop[.]com
office2016keys[.]com
windowskeysale[.]com
buymicrosoftkey[.]com
windows10keysale[.]com
windowskeyonsale[.]com
cheapmicrosoftkey[.]com
office2013keysale[.]com
officialkeyonline[.]com
windows7keyonsale[.]com
officialwindowskey[.]com
buywindows10keysale[.]com
windows10keysonline[.]com

IP: 185.139.238.210

Email registrant: bodfeo@163.com

CrypMIC: 0fec757b65dea409b368e02a72d16695e0a071347712fb29dfda12e0561d8247