A brand new malicious marketing campaign has compromised over 15,000 WordPress web sites in an try and redirect guests to bogus Q&A portals.
“These malicious redirects seem like designed to extend the authority of the attacker’s websites for search engines like google and yahoo,” Sucuri researcher Ben Martin mentioned in a report revealed final week, calling it a “intelligent black hat web optimization trick.”
The search engine poisoning method is designed to advertise a “handful of pretend low high quality Q&A websites” that share related website-building templates and are operated by the identical menace actor.
A notable side of the marketing campaign is the flexibility of the hackers to switch over 100 information per web site on common, an strategy that contrasts dramatically from different assaults of this sort whereby solely a restricted variety of information are tampered with to scale back footprint and escape detection.
Some of essentially the most generally contaminated pages include wp-signup.php, wp-cron.php, wp-links-opml.php, wp-settings.php, wp-comments-post.php, wp-mail.php, xmlrpc.php, wp-activate.php, wp-trackback.php, and wp-blog-header.php.
This intensive compromise permits the malware to execute the redirects to web sites of the attacker’s alternative. It’s value stating that the redirects do not happen if the wordpress_logged_in cookie is current or if the present web page is wp-login.php (i.e., the login web page) in order to keep away from elevating suspicion.
The final aim of the marketing campaign is to “drive extra visitors to their faux websites” and “enhance the websites’ authority utilizing faux search consequence clicks to make Google rank them higher in order that they get extra actual natural search visitors.”
The injected code achieves this by initiating a redirect to a PNG picture hosted on a site named “ois[.]is” that, as a substitute of loading a picture, takes the web site customer to a Google search consequence URL of a spam Q&A website.
It’s not instantly clear how the WordPress websites are breached, and Sucuri mentioned it didn’t discover any apparent plugin flaws being exploited to hold out the marketing campaign.
That mentioned, it is suspected to be a case of brute-forcing the WordPress administrator accounts, making it important that customers allow two-factor authentication and make sure that all software program is up-to-date.