What is the threat?

• An actor known as TA4557 is using SEO Poisoning to distribute the More_Eggs backdoor.
• SEO Poisoning is a method by which attackers use Search Engine Optimization techniques to promote websites that host malicious content.
• This technique enables the threat actor to circumvent email security controls, as they are not including an attachment or link.

How is it used in the wild?

• In this campaign, the threat actor contacted individuals in the hiring process and posed as someone interested in applying for a job.
• They claim they could not attach their resume to the email and asked the message recipient to search Google for their personal website and download their resume from there.
• The threat actor utilized SEO Poisoning to ensure that the fake applicant’s website returned as one of the top search results, thereby leading the recipient to malicious content.

Key Action: Report Suspicious Emails 

• Stay alert for unsolicited emails from job candidates, especially if your organization has an applicant portal.
• Exercise caution when anyone unexpectedly requests you to navigate to a website to download something.
• Report ANY suspicious emails received in your UCSF email box using the Phish Alarm button.