Over 15,000 WordPress websites have been compromised by a new malicious campaign that redirected visitors to bogus Q&A portals. “These malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines,” stated Sucuri researcher Ben Martin, calling it a “clever black hat SEO trick.” A threat actor created the malicious search engine technique to drive traffic to a “handful of fake low quality Q&A sites.” On average, hackers modified over 100 files per website during the campaign. This method differs significantly from prior attacks of this type, where only a smaller number of files were modified to leave a smaller digital trace to avoid detection. The most frequently infected pages consist of wp-signup.php, wp-cron.php, wp-links-opml.php, wp-settings.php, wp-comments-post.php, wp-mail.php, xmlrpc.php, wp-activate.php, wp-trackback.php, and wp-blog-header.php.
This compromise allowed the malware to execute the redirects to the attacker’s preferred domains. It’s important to note that the redirects don’t occur if the wordpress_logged_in cookie is active, or if the current page is wp-login.php (the login page). The campaign’s primary goal was to “drive more traffic to their fake sites and boost the sites’ authority using fake search result clicks to make Google rank them better so that they get more real organic search traffic.” The injected code achieves this by starting a redirect to a PNG image hosted on the domain “ois[.]is,” which, instead of loading an image, sends website visitors to a URL of a spam Q&A domain that appears in a Google search result. It’s unclear how the WordPress websites were compromised. Sucuri said that he did not find any obvious plugin issues being used in the campaign. WordPress users should set up two-factor authentication and ensure all software is up to date.