Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign

Home/Compromised, Internet Security, IOC's, Microsoft, Mobile Security, Security Advisory, Security Update/Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign

Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign

Security researchers have spotted an intriguing malware campaign designed to increase the search engine rankings of spam websites under the control of threat actors.

Over 15,000 WordPress and other sites have been redirected to the spam Q&A sites, according to Sucuri. The hackers are using modified WordPress PHP files and, in some cases, their own PHP files to achieve the redirects, with targeted sites on average containing 100 infected files each.

What attackers are trying to do ?

“The attackers’ spam sites are populated with various random questions and answers found to be scraped from other Q&A sites. Many of them have cryptocurrency and financial themes.”

However, experts found an “ads.txt” file on some of the rogue domains, which led them to believe that the attackers might want to generate more traffic to commit ad fraud.

The compromised files host malicious code that redirects visitors to an image URL if they’re not logged in to WordPress. However, instead of displaying an image, the URL uses JavaScript to redirect users to a Google search click URL. This then leads them to the fraudulent Q&A website, as a result.

The PNG image file uses the ‘window.location.href’ function to generate the Google Search redirection result to one of the following targeted domains:

  • en.w4ksa[.]com
  • peace.yomeat[.]com
  • qa.bb7r[.]com
  • en.ajeel[.]store
  • qa.istisharaat[.]com
  • en.photolovegirl[.]com
  • en.poxnel[.]com
  • qa.tadalafilhot[.]com
  • questions.rawafedpor[.]com
  • qa.elbwaba[.]com
  • questions.firstgooal[.]com
  • qa.cr-halal[.]com
  • qa.aly2um[.]com

Cloudflare has been used to host most of the malicious subdomains leveraged by attackers, all of which have similar website-building templates suggesting that a single group of threat actors may be behind the scheme.

While Sucuri found no immediately obvious plugin vulnerability in its analysis, it still didn’t rule out hackers using exploit kits to “probe for any common vulnerable software components.”

Recommendations – WordPress

  • Updating the software on your website to the latest version and apply the latest patches.
  • Enabling Two-Factor Authentication (2FA) for admin accounts.
  • Changing all administrator and access point passwords.
  • Using a firewall to protect your website.

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 388
By | 2022-11-15T01:30:16+05:30 November 15th, 2022|Compromised, Internet Security, IOC's, Microsoft, Mobile Security, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!