Massive Black hat SEO campaign used +15K WordPress sites

Experts warn of a malicious SEO campaign that has compromised over 15,000 WordPress websites to redirect visitors to fake Q&A portals.

Since September 2022, researchers from security firm Sucuri have tracked a surge in WordPress malware redirecting website visitors to fake Q&A sites via ois[.]is. The campaign’s end goal appears to be black hat SEO aimed at increasing the reputation of the attacker’s sites.

The Sucuri SiteCheck scanner has detected redirects on over 2,500 sites during September and October, while PublicWWW results show nearly 15,000 websites affected by this malware. 

“What makes this campaign especially unusual is that attackers are found to be promoting a handful of fake low quality Q&A sites.” reads the analysis published by Sucuri. “Some website malware infections limit themselves to a small number of files, often to limit their footprint and avoid detection. This malware is the opposite — with on average over 100 files infected per website.”

Experts noticed that the threat actor behind this campaign modify on average over 100 files infected per website. The attackers mainly modify core WordPress files along with malicious .php files created by other unrelated malware campaigns.

Below is the list of the top 10 most commonly infected files.

• ./wp-signup.php
• ./wp-cron.php
• ./wp-links-opml.php
• ./wp-settings.php
• ./wp-comments-post.php
• ./wp-mail.php
• ./xmlrpc.php
• ./wp-activate.php
• ./wp-trackback.php
• ./wp-blog-header.php

Sucuri experts explained that if the malware does not detect a logged-in user or login attempt it then injects the malicious JavaScript code.

Experts observed two redirect techniques:

• A combination of window.location.href and meta refresh redirects;
• Attackers save information about the redirect in the visitor’s browser localStorage to avoid redirecting more than once in 2 or 6 hours, depending on the variant used. The value is hardcoded in the allowedHours variable.

In both scenarios, the malware redirects to .png files, then the malware uses the window.location.href function to redirect to a Google search result URL of a spam domain under his controlù.

The spam sites are populated with various questions and answers scraped from other Q&A sites.

Sucuri experts have yet to discover how the WordPress websites employed in the campaign have been hacked.

“It’s possible that these bad actors are simply trying to convince Google that real people from different IPs using different browsers are clicking on their search results. This technique artificially sends Google signals that those pages are performing well in search.” concludes the report.

“If this is the case, it’s a pretty clever black hat SEO trick that we’ve rarely seen used in massive hack campaigns. However, its effect is questionable given that Google will be getting lots of “clicks” on search results without any actual searches being performed. This black hat SEO theory is also backed by the fact that the second level domains of the Q&A sites seem to belong to the same people. The hosted websites use similar templates and pretty low quality content (mostly in Arabic language) that is either scraped from some other sites or created for search engines rather than real humans.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]