Attackers Compromise Roughly 15,000 Websites in Massive Black Hat SEO Campaign

Nearly 15,000 websites were compromised in a recent black hat search engine optimization (SEO) campaign. The perpetrators altered the contents of thousands of websites to redirect visitors to rogue Q&A discussion forums.

The malicious campaign was discovered by web security company Sucuri, which believes the attackers aimed to boost the authority of their fake websites. The company said most affected websites were using WordPress, and each one hosted roughly 20,000 files fueling the black hat SEO campaign.

Although seemingly harmless, the fake Q&A websites could later be weaponized and used to drop malware or become phishing websites. Attackers could also exploit the websites’ artificially inflated ranking to launch a devastating malware-dropping attack.

On the other hand, experts located an “ads.txt” file on some of the rogue domains, leading them to believe the attackers might want to amass more traffic to conduct ad fraud. A few weeks ago, a malicious GIMP Google Ad campaign infected unsuspecting victims with information-stealing malware through a website replica.

As Sucuri’s report shows, the perpetrators injected redirects in core WordPress files but also “infect malicious .php files created by other unrelated malware campaigns.” The company released a list of the 10 most commonly infected files:

./wp-signup.php

./wp-cron.php

./wp-links-opml.php

./wp-settings.php

./wp-comments-post.php

./wp-mail.php

./xmlrpc.php

./wp-activate.php

./wp-trackback.php

./wp-blog-header.php

Further analysis revealed that the attackers also infected “random or pseudo-legitimate file names,” including:

RVbCGlEjx6H.php

lfojmd.php

wp-newslet.php

wp-ver.php

wp-logln.php

The compromised files host malicious code that redirects visitors to an image URL if they’re not logged in to WordPress. Instead of displaying an image, though, the URL uses JavaScript to redirect visitors to a Google search click URL, leading users to the rogue Q&A website.

Perpetrators likely excluded users logged in to their WordPress accounts to avoid redirecting a website administrator and raising suspicion.

Although Sucuri’s analysis found no immediately obvious plugin vulnerability, it didn’t rule out attackers using exploit kits to “probe for any common vulnerable software components.”

The company included a series of mitigation tips against the new malicious campaign, including:

• Update the software on your website to the latest version and apply the latest patches
• Enable Two-Factor Authentication (2FA) for admin accounts
• Change all administrator and access point (cPanel, FTP, hosting) passwords
• Use a firewall to protect your website