Contents:
This week, almost 15,000 sites were compromised during a massive black hat search engine optimization (SEO) campaign. The websites would redirect the visitors to face Q&A discussion forums.
Security researchers believe that the goal of the threat actors is to generate enough indexed pages to increase the authority of the fake Q&A sites and thus, increase their rankings in search engines.
Given that even a brief operation on the front page of Google Search would cause several infections, it seems likely that the campaign prepares these websites for use as malware droppers or phishing sites in the future. Based on the presence of an “ads.txt” file on the landing pages, another possibility is that their owners are trying to increase traffic in order to commit ad fraud.
Victim’s Profile
According to BleepingComputer, the hackers are modifying WordPress PHP files to inject the redirects to the fake Q&A discussion forums. Such files are “wp-singup.php”, “wp-cron.php”, “wp-settings.php”, “wp-mail.php”, and “wp-blog-header.php”.
The malicious code found in the infected or injected files checks to see if website visitors are signed into WordPress; if not, it sends them to the URL “https://ois.is/images/logo-6.png”.
Browsers will not receive an image from this URL, however; instead, JavaScript will be loaded and users will be sent to a Google search URL that sends them to the sponsored Q&A site.
In order to make it appear as though the websites are popular and to improve their ranking in the search results, using a Google search click URL is likely to raise performance metrics on the URLs in the Google Index.
To avoid raising suspicions, the threat actors exclude logged-in users, as well as those standing at “wp-login.php”.
Below, you will find a list of some of the targeted domains, the complete list includes more than 1,000 entries:
- w4ksa[.]com
- yomeat[.]com
- bb7r[.]com
- ajeel[.]store
- istisharaat[.]com
- photolovegirl[.]com
- poxnel[.]com
- tadalafilhot[.]com
- rawafedpor[.]com
- elbwaba[.]com
- firstgooal[.]com
- cr-halal[.]com
- aly2um[.]com
Most of the websites used by the threat actors hide their servers behind Cloudflare, so it is hard to learn about the operators of the campaign. As all of the websites use similar templates and appear to be generated automatically, it is likely that they belong to the same threat actor.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.