More than 15,000 WordPress websites have been infiltrated by a new malicious campaign that aims to send users to false Q&A portals.
According to a report released last week by Sucuri researcher Ben Martin, “these malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines,” characterizing it as a “clever black hat SEO trick.”
The goal of the search engine poisoning tactic is to draw attention to a “handful of fake low quality Q&A sites” that are run by the same threat actor and have similar website-building templates.
The campaign’s ability to alter an average of more than 100 files per website is noteworthy. This differs significantly from previous attacks of this type, which only alter a small number of files in order to minimize footprint and evade detection.
Wp-signup.php, WP-cron.php, WP-links-opml.php, WP-settings.php, WP-comments-post.php, WP-mail.php, xmlrpc.php, WP-activate.php, WP-trackback.php, and WP-blog-header.php are a few of the frequently infected pages.
The malware can carry out the redirects to the attacker’s preferred websites thanks to this widespread compromise. To allay suspicions, it’s important to note that the redirects don’t happen if the wordpress_logged_in cookie is present or if the current page is wp-login.php, or the login page.
The campaign’s ultimate objective is to “drive more traffic to their fake sites” as well as “boost the sites’ authority using fake search result clicks to make Google rank them better so that they get more real organic search traffic.”
The inserted code accomplishes this by starting a redirect to a PNG image hosted on the domain “ois[.]is” that, rather than loading an image, directs website visitors to a spam Q&A domain’s Google search result URL.
The method by which the WordPress websites are compromised is currently unknown, although Sucuri reported that it did not find any evident plugin vulnerabilities being used in the campaign.
Nevertheless, since it appears that the WordPress administrator accounts are being brute-forced, users must enable two-factor authentication and make sure all software is up to date.
