Over 15,000 WordPress websites have been infected by a new malicious campaign that aims to divert users to fake Q&A portals. A “handful of fake low quality Q&A sites” that use identical website-building templates and are run by the same threat actor are the target of the search engine poisoning strategy.
“These malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines,” Sucuri researcher Ben Martin stated in a recently-published report, calling it a “clever black hat SEO trick.”
The capacity of hackers to alter over 100 files per website on average is a noteworthy feature of the campaign. This method differs significantly from prior attacks of this type, which alter a smaller number of files to leave a smaller digital trace and avoid discovery. Some websites most frequently infected are wp-signup.php, wp-cron.php, wp-settings.php, wp-links-opml.php, wp-mail.php, wp-activate.php, wp-trackback.php, xmlrpc.php, wp-comments-post.php, and wp-blog-header.php.
The malware can now carry out the redirection to the attacker’s preferred domains due to the complete breach. In order to minimize suspicion, it’s important to note that the redirects don’t occur if the wordpress_logged_in cookie is active or the current page is wp-login.php (the login page).
The campaign’s ultimate objective is to increase traffic to their fake websites and increase their authority by exploiting clicks from fictitious search results to raise their ranking on Google and attract more actual organic search traffic. The inserted code does this by starting a redirect to a PNG image housed on the domain “ois[.]is,” which, instead of loading an image, sends website visitors to a URL of a spam Q&A domain that appears in a Google search result.
It’s unclear how the WordPress websites are compromised right now, as Sucuri claimed it did not find any obvious plugin issues being used in operation. Since the WordPress administrator accounts are likely the target of a brute-force attack, users must set up two-factor authentication and make sure all software is up-to-date.
