Colin Thierry
Published on: November 11, 2022
Around 15,000 websites were compromised recently in a black hat search engine optimization (SEO) campaign. The threat actors edited thousands of websites to redirect users to fraudulent Q&A discussion forums.
The SEO campaign was discovered by web security company Sucuri, which believes the attackers aimed to boost the authority of their fake websites. The company said most impacted websites were using WordPress, and each one hosted around 20,000 files fueling the malicious campaign.
While they seem harmless, the fake Q&A websites can still be weaponized and used to drop malware or become phishing websites. Threat actors could also utilize the websites’ artificially inflated ranking to launch a malware-dropping attack.
However, experts found an “ads.txt” file on some of the rogue domains, which led them to believe that the attackers might want to generate more traffic to commit ad fraud.
According to Sucuri’s report on Tuesday, the hackers injected redirects in core WordPress files but also “infected malicious .php files created by other unrelated malware campaigns.” Further analysis by the web security company revealed that the threat actors also infected “random or pseudo-legitimate file names.”
The compromised files host malicious code that redirects visitors to an image URL if they’re not logged in to WordPress. However, instead of displaying an image, the URL uses JavaScript to redirect users to a Google search click URL. This then leads them to the fraudulent Q&A website, as a result.
While Sucuri found no immediately obvious plugin vulnerability in its analysis, it still didn’t rule out hackers using exploit kits to “probe for any common vulnerable software components.”
The company concluded its report by listing mitigation tips for users against the new black hat SEO campaign, which include:
- Updating the software on your website to the latest version and apply the latest patches.
- Enabling Two-Factor Authentication (2FA) for admin accounts.
- Changing all administrator and access point passwords.
- Using a firewall to protect your website.
