Security researchers have spotted an intriguing malware campaign designed to increase the search engine rankings of spam websites under the control of threat actors.
Over 15,000 WordPress and other sites have been redirected to the spam Q&A sites, according to Sucuri. The hackers are using modified WordPress PHP files and, in some cases, their own PHP files to achieve the redirects, with targeted sites on average containing 100 infected files each.
What attackers are trying to do ?
“The attackers’ spam sites are populated with various random questions and answers found to be scraped from other Q&A sites. Many of them have cryptocurrency and financial themes.”
However, experts found an “ads.txt” file on some of the rogue domains, which led them to believe that the attackers might want to generate more traffic to commit ad fraud.
The PNG image file uses the ‘window.location.href’ function to generate the Google Search redirection result to one of the following targeted domains:
Cloudflare has been used to host most of the malicious subdomains leveraged by attackers, all of which have similar website-building templates suggesting that a single group of threat actors may be behind the scheme.
While Sucuri found no immediately obvious plugin vulnerability in its analysis, it still didn’t rule out hackers using exploit kits to “probe for any common vulnerable software components.”
Recommendations – WordPress
- Updating the software on your website to the latest version and apply the latest patches.
- Enabling Two-Factor Authentication (2FA) for admin accounts.
- Changing all administrator and access point passwords.
- Using a firewall to protect your website.