Hackers are running a massive black hat search engine optimization (SEO) campaign by compromising nearly 15,000 websites to redirect visitors to fake question and answer discussion forums.
The attacks were first detected by Sucuri, which says each compromised site contains approximately 20,000 files used as part of the search engine spam campaign, with most of the sites being WordPress.
Researchers believe that the goal of threat actors is to generate enough indexed pages to increase the authority of the fake Q&A sites and therefore rank better in search engines.
Fake question and answer site promoted by this campaign (juices)
The campaign likely prepares these sites for future use as malware accounts or phishing sites, as even a short-term operation on the first page of Google Search would result in many infections.
An alternative scenario, based on the existence of an “ads.txt” file on the landing sites, is that their owners want to generate more traffic to commit ad fraud.
Targeting WordPress sites
juices reports that hackers are modifying WordPress PHP files such as “wp-singup.php”, “wp-cron.php”, “wp-settings.php”, “wp-mail.php” and “wp-blog- header”. .php’, to inject the redirects to the fake Q&A discussion forums.
In some cases, attackers drop their own PHP files on the target site, using random or pseudo-legitimate file names like “wp-logln.php”.
Malicious code in one of the infected files (juices)
Infected or injected files contain malicious code that checks whether website visitors are logged in to WordPress and, if not, redirects them to the URL.
However, browsers will not be served any images from this URL, but will instead have JavaScript loaded that redirects users to a clickable Google search URL that redirects users to the promoted Q&A site.
Code to generate the fake google search event (juices)
Using a Google search click-through URL is likely to increase the performance metrics of the URLs in the Google index to make it appear as if the sites are popular, in the hope of increasing their ranking in the results of the search.
Also, redirecting through Google search click URLs makes the traffic look more legitimate, possibly bypassing some security software.
Excluding registered users, as well as those in ‘wp-login.php’, is intended to prevent redirection by a site administrator, which would lead to suspicion and cleanup of the compromised site.
The PNG image file uses the “window.location.href” function to generate the Google Search redirect result to one of the following targeted domains:
en.w4ksa[.]like peace.yomeat[.]like qa.bb7r[.]as in.ajeel[.]qa store istisharat[.]as in.photolovegirl[.]as in.poxnel[.]like qa.tadalafilhot[.]as you ask.rawafedpor[.]like qa.elbwaba[.]as you ask.first objective[.]like qa.cr-halal[.]like qa.aly2um[.]how
Threat actors use multiple subdomains for the above, so the full list of landing domains is too long to include here (1,137 entries). Those interested in reviewing the full list can do so find it here.
Most of these websites hide their servers behind Cloudflare, so Sucuri’s analysts were unable to obtain more information about the campaign operators.
Since all sites use similar website builder templates and all appear to have been generated by automated tools, it is likely that they all belong to the same threat actors.
Sucuri was unable to identify how the threat actors breached the websites used for the redirects. However, it is likely to happen by exploiting a vulnerable plugin or forcing your WordPress admin password.
Therefore, the recommendation is to update all WordPress plugins and website CMS to the latest version and enable two-factor authentication (2FA) on admin accounts.
[ad_2]
Source link
