Phishing sites impersonating download pages for popular software such as KakaoTalk and Claude have been appearing prominently at the top of search results, according to cybersecurity authorities. Running the installation files plants malware on users' PCs that steals personal information.
Phishing Sites Top Search Results, Targeting KakaoTalk and Claude
According to information disclosed by the Korea Internet & Security Agency (KISA) on Tuesday, an unidentified hacking group was confirmed to have built a site impersonating the official KakaoTalk PC version download page to distribute malware.
The site operated for two months from February 10 to April 14, causing an estimated 560 cases of malware downloads.
The attackers manipulated major search engines including Google and Bing so that the phishing site appeared at the top of results when users searched for terms such as "KakaoTalk PC version" and "KakaoTalk download." The structure makes it easy to mistake the phishing site for a legitimate search result.
When users download and run the installation file from the site, malware capable of stealing personal information is installed on their PC. This technique is known as "search engine optimization (SEO) poisoning."
Security firm AhnLab also recently reported detecting a look-alike site that elaborately mimicked the download page for the generative AI Claude.
In this case, the attackers used Google search ads to position the phishing site at the top of search results when users searched for keywords such as "Claude app" and "Claude desktop."
When users click the download button, instead of an installation file, a pop-up appears with "installation instructions." Following the instructions results in the installation of malware that steals files stored on the PC, browser information and cryptocurrency wallet details. This is known as the "ClickFix" technique, which disguises itself as guidance or error messages to trick users into executing malicious commands themselves.
"Install Only from Official Websites"… Naver Blocks Threats Internally
KISA advised, "When installing software, users should download from official websites rather than search results, and must verify whether search results carry advertising labels and whether the URL of the displayed link matches that of the legitimate site before accessing it."
Unlike Google and Bing, which have relatively weak advertiser verification systems, Naver has been blocking damage through its own review system.
Naver conducts pre-screening that examines whether advertisers are registered businesses and whether their content contains false or exaggerated claims, and inspects advertising pages in real time in coordination with its security organization. The company also maintains a 24-hour user reporting channel and has procedures in place to immediately halt ads when damage occurs.
