San Jose, Calif.-based Cisco Talos revealed threat actors usedsearch engine optimization to target specific users with the ZeusPanda, a banking Trojan designed to steal banking andother sensitive credentials.

The attackers used malicious links more prevalent in Googlesearch results to target numerous keyword groups, with mosttailored towards banking or financial-related information thatpotential victims might search. By poisoning the results forbanking and financial keywords, the attackers were able toeffectively target an audience that regularly uses financialplatforms, providing the attacker a quicker way to obtaincredentials, banking and credit card information.

By targeting primarily financial-related keyword searches andensuring the display of malicious results, the attacker alsomaximized the potential conversion rate of their infections, theblog post authored by Edmund Brumaghin, Earl Carter and EmmanuelTacheau strongly suggested. “They can be confident that infectedusers will be regularly using various financial platforms and thuswill enable the attacker to quickly obtain credentials, banking andcredit card information, etc.”

The overall configuration and operation of the infrastructureused to distribute this malware did not rely on circulation methodsregularly used for the distribution of malware. “This is anotherexample of how attackers regularly refine and change theirtechniques and illustrates why ongoing consumption of threatintelligence is essential for ensuring that organizations remainprotected against new threats over time,” the Talos authorsexplained.

The initial vector used to initiate this infection process doesnot appear to be email based. In this campaign, the attacker(s)targeted specific sets of likely-queried search keywords ofpotential targets using search engines such as Google. Byleveraging compromised web servers, the attacker ensured highranking of their malicious results within search engines, thusincreasing the likelihood of clicks by potential victims. In mostinstances, the attacker got their poisoned results displayedseveral times on Page 1 of the Search Engine Results Page for themaliciously-linked keywords.

In cases where victims attempted to browse to the pages hostedon these compromised servers, they would initiate a multi-stagemalware infection process.

In other cybersecurity-related news, international hotel chainHilton reached a $700,000 settlement agreement with two states overtwo separate data breaches discovered in 2015 that exposed morethan 360,000 payment card numbers.

New York Attorney General Eric T. Schneiderman said the probe,conducted with the Vermont attorney general, revealed that Hiltondid not provide consumers with timely notice and did not maintainreasonable security.

The settlement requires Hilton to provide immediate notice toconsumers affected by a breach, maintain comprehensive informationsecurity program, and conduct data security assessments.

New York's Bureau of Internet and Technology investigators saidthey found Hilton did not maintain reasonable data security andalso failed to comply with the Payment Card Industry Data SecurityStandard.

"Businesses have a duty to notify consumers in the event of abreach and protect their personal information as securely aspossible," Schneiderman said. "Lax security practices like those weuncovered at Hilton put New Yorkers' credit card information andother personal data at serious risk. My office will continue tohold businesses accountable for protecting their customers'personal information."

New York will receive $400,000 of the settlement; Vermont willreceive $300,000.

In August 2016 NAFCU President and CEO Dan Berger issued astatement following a string of hotel breaches including HEI Hotels & Resorts,Hyatt Hotels and Starwood Hotels & Resorts: “These hotel databreaches, many of which are repeat offenses, as well as the latestdata breach to Oracle’s point-of-sale systems, affirm the urgencywith which Congress needs to pass strong national data securitystandards for retailers.”