Hackers have compromised nearly 15,000 websites to conduct massive black hat Search Engine Optimization (SEO) campaigns by redirecting visitors to fake Q&A discussion forums.
This attack was first discovered by Sucuri. Sucuri said each compromised site contained approximately 20,000 files used as part of search engine spam campaigns, with most sites being WordPress.
Researchers believe the attacker’s goal is to increase the authority of the fake Q&A site and generate enough indexed pages to improve its ranking in search engines.
Even a short period of interaction on the first page of Google Search can lead to many infections, which may set the campaign up for future use of these sites as malware droppers and phishing sites.
Another scenario is based on the presence of an ‘ads.txt’ file on the landing site, where the site owner wants to drive more traffic for ad fraud.
Targeting your WordPress site
Sucuri claims that hackers modified WordPress PHP files such as ‘wp-singup.php’, ‘wp-cron.php’, ‘wp-settings.php’, ‘wp-mail.php’ and ‘wp-blog’. reported that -header.php’, insert a redirect to a fake Q&A discussion forum.
In some cases, attackers drop their own PHP files on the targeted site using random or pseudo-legitimate filenames like “wp-logln.php”.
The infected or injected file will check if the website visitor is logged into WordPress and redirect to the https://ois.is/images/logo-6.png URL if not. contains malicious code that
However, instead of sending the image from this URL, the browser loads JavaScript that redirects the user to a Google search click URL that redirects the user to the promoted Q&A site.
Google Search click URLs can improve the performance metrics of your URLs in the Google index and make your site appear more popular in hopes of boosting your ranking in search results.
Additionally, redirecting via a Google search click URL can make your traffic look more legitimate and bypass some security software.
The purpose of excluding users who are logged in and standing on “wp-login.php” is to avoid redirecting site admins. This will raise suspicion and clean up compromised sites.
PNG image files use the “window.location.href” function to generate Google search redirect results to one of the following target domains:
- en.w4ksa[.]Com
- Piece Yo Meat[.]Com
- qa.bb7r[.]Com
- en. ajeel[.]shop
- qa.istisharaat[.]Com
- en.photolovegirl[.]Com
- en.poxnel[.]Com
- qa.tadalafilhot[.]Com
- question.rawafedpor[.]Com
- qa. elbwaba[.]Com
- Q. First goal[.]Com
- qa.cr-halal[.]Com
- qa.aly2um[.]Com
The complete list of landing domains is too long to include here (1,137 entries), as attackers use multiple subdomains for the above purposes. If you want to see the full list, you can find it here.
Since most of these websites hide their servers behind Cloudflare, Sucuri’s analysts were unable to learn more about the operators of the campaigns.
Since all sites use similar website building templates and all appear to have been generated by automated tools, they could all belong to the same actor.
Sucuri was unable to determine how the attackers got into the website used for redirection. However, it can be caused by exploiting a vulnerable plugin or by brute-forcing your WordPress admin password.
Therefore, we recommend upgrading all your WordPress plugins and website CMS to the latest versions and enabling two-factor authentication (2FA) on your admin account.
