2 min read

Attackers Compromise Roughly 15,000 Websites in Massive Black Hat SEO Campaign


November 10, 2022

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Attackers Compromise Roughly 15,000 Websites in Massive Black Hat SEO Campaign

Nearly 15,000 websites were compromised in a recent black hat search engine optimization (SEO) campaign. The perpetrators altered the contents of thousands of websites to redirect visitors to rogue Q&A discussion forums.

The malicious campaign was discovered by web security company Sucuri, which believes the attackers aimed to boost the authority of their fake websites. The company said most affected websites were using WordPress, and each one hosted roughly 20,000 files fueling the black hat SEO campaign.

Although seemingly harmless, the fake Q&A websites could later be weaponized and used to drop malware or become phishing websites. Attackers could also exploit the websites’ artificially inflated ranking to launch a devastating malware-dropping attack.

On the other hand, experts located an “ads.txt” file on some of the rogue domains, leading them to believe the attackers might want to amass more traffic to conduct ad fraud. A few weeks ago, a malicious GIMP Google Ad campaign infected unsuspecting victims with information-stealing malware through a website replica.

As Sucuri’s report shows, the perpetrators injected redirects in core WordPress files but also “infect malicious .php files created by other unrelated malware campaigns.” The company released a list of the 10 most commonly infected files:


Further analysis revealed that the attackers also infected “random or pseudo-legitimate file names,” including:


The compromised files host malicious code that redirects visitors to an image URL if they’re not logged in to WordPress. Instead of displaying an image, though, the URL uses JavaScript to redirect visitors to a Google search click URL, leading users to the rogue Q&A website.

Perpetrators likely excluded users logged in to their WordPress accounts to avoid redirecting a website administrator and raising suspicion.

Although Sucuri’s analysis found no immediately obvious plugin vulnerability, it didn’t rule out attackers using exploit kits to “probe for any common vulnerable software components.”

The company included a series of mitigation tips against the new malicious campaign, including:

  • Update the software on your website to the latest version and apply the latest patches
  • Enable Two-Factor Authentication (2FA) for admin accounts
  • Change all administrator and access point (cPanel, FTP, hosting) passwords
  • Use a firewall to protect your website




Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.

View all posts

You might also like