Avoid malicious downloads when you’re surfing the web

Image of a woman surfing through the crest of a green watered wave. A "Spotlight on InfoSec" badge sits in the middle

When using a search engine like Google, how often do you click the top 3 links of the search results?

If the answer is ‘a lot’, you’re not alone. Over 25% of people click the first Google search result, with the 2nd result generating an average of 3x more clicks than the one in 6th position(1). 

Cyber-criminals are taking advantage of this, using Search Engine Optimisation (SEO) tactics to alter search results and direct victims to legitimate, but compromised websites hosting malicious files. 

We’ve recently received two separate alerts from our security tools, letting us know that malicious software (malware) called ‘Gootkit’ had been blocked from installing on employee devices. Both employees had searched the web for templates and attempted to download .zip archives, which were quickly flagged as malicious and blocked. When malware is successfully installed, cyber-criminals can access and control computers remotely, steal confidential and personal information and/or lock the user out of their files. 

The financial sector is more at risk

Researchers have noticed, almost without exception, that ‘Gootkit’ attempts are more likely to occur after users visit compromised websites claiming to host legal or financial content. If a cyber-criminal can infiltrate systems in these business sectors, it’s likely the information will be of high value.

The compromised websites are displayed in search results when the user searches for keywords such as “agreement,” “contract,” and “template”. Examples include searches for:

  • ‘Discretionary investment management agreement’
  • ‘Fixed term contract to permanent letter’
  • ‘Plea agreement template’

If the user unknowingly clicks onto a compromised site, they’re presented with what looks like a forum, delivering the answer to their exact question, using precisely the same wording as the search query. It appears the site administrator has provided a ‘direct download link’ to their required template in response to someone else’s question. If the user clicks the ‘direct download link’, they’ll receive a downloaded .zip archive, named to exactly match the original search query. Once the zip archive is opened, it contains a JavaScript file appearing to be the template, agreement or contract needed. However, this JavaScript file delivers the malicious software ‘Gootkit’.

What’s concerning is the simplicity of this and the widespread potential for victims. Lots of us could unintentionally instal this malware if we aren’t alert to the signs.

Here’s an example of a compromised website being used to host Gootkit, live and top of the search results on Google today.

Forum2.Jpg (1)

What to look out for

The good news is this type of attack is simple to spot.  Here are our 5 top tips to help:

1) The forums on compromised websites look EXACTLY the same each time, like the fake post and admin reply in the above example. This is a key sign to look out for.

2) The downloaded template, contract or agreement will be a JavaScript (.js) file – genuine extensions for this type of file would be .docx, .pdf and .xlxs.  

3) Avoid opening unusual file types such as .js (Javascript) and .exe (executable), as they’re commonly used in malware attacks.      

4) Refresh your security training to remind employees of the risks with downloading templates from unknown sources.

 5) If you own a website, opt for web host providers who emphasise security in their own servers and keep up to date with patches.

Sarah Coles

Information Security Manager


(1) https://www.searchenginejournal.com/google-first-page-clicks/374516/#close

This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.

Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.  

Speak to us and find out how we can help your business thrive.