After discovering an infected WordPress index.php file, researchers came to the realization that the PHP code contained a spam doorway generator targeting Korean users. The generator was able to obtain spam from third-party servers which then allowed it to be cached on a compromised server and display doorway pages. It specifically looks for users that browse with .kr domains and also have their default browser language set to Korean. A base64-encoded string which contained a configuration array file was downloaded from a URL by researchers. In the file were nearly 3,000 keywords, injection patterns, and links. Three sub-campaigns were also associated with the keywords and researchers were able to identify them. The attackers were also able to leverage non-hacked WordPress sites. The research blog stated, “In addition to common black hat SEO tactics, this campaign uses a very interesting (and disturbing for WordPress users) approach to spamming search engines. The configuration files contain lists of 500 random (and uncompromised) WordPress sites with the following format: http://example.com/?s=[content].” Spam pages in the search engines were then indexed.
Analyst Notes
Users should keep track of their backlinks which can be monitored using different platforms. Google Webmaster Tools can also be used to send email alerts that will make users aware of their website being attacked by malware, pages that aren’t indexed, and server connectivity problems.
