Thousands of Sites Hacked in Massive Google SEO Poisoning Campaign
Threat Actors Redirect Users to Fake Q&A Sites to Boost Their Rankings.
This week, almost 15,000 sites were compromised during a massive black hat search engine optimization (SEO) campaign. The websites would redirect the visitors to face Q&A discussion forums.
Security researchers believe that the goal of the threat actors is to generate enough indexed pages to increase the authority of the fake Q&A sites and thus, increase their rankings in search engines.
Given that even a brief operation on the front page of Google Search would cause several infections, it seems likely that the campaign prepares these websites for use as malware droppers or phishing sites in the future. Based on the presence of an “ads.txt” file on the landing pages, another possibility is that their owners are trying to increase traffic in order to commit ad fraud.
According to BleepingComputer, the hackers are modifying WordPress PHP files to inject the redirects to the fake Q&A discussion forums. Such files are “wp-singup.php”, “wp-cron.php”, “wp-settings.php”, “wp-mail.php”, and “wp-blog-header.php”.
The malicious code found in the infected or injected files checks to see if website visitors are signed into WordPress; if not, it sends them to the URL “https://ois.is/images/logo-6.png”.
In order to make it appear as though the websites are popular and to improve their ranking in the search results, using a Google search click URL is likely to raise performance metrics on the URLs in the Google Index.
To avoid raising suspicions, the threat actors exclude logged-in users, as well as those standing at “wp-login.php”.
Below, you will find a list of some of the targeted domains, the complete list includes more than 1,000 entries:
Most of the websites used by the threat actors hide their servers behind Cloudflare, so it is hard to learn about the operators of the campaign. As all of the websites use similar templates and appear to be generated automatically, it is likely that they belong to the same threat actor.