After discovering an infected WordPress index.php file, researchers came to the realization that the PHP code contained a spam doorway generator targeting Korean users. The generator was able to obtain spam from third-party servers which then allowed it to be cached on a compromised server and display doorway pages. It specifically looks for users that browse with .kr domains and also have their default browser language set to Korean. A base64-encoded string which contained a configuration array file was downloaded from a URL by researchers. In the file were nearly 3,000 keywords, injection patterns, and links. Three sub-campaigns were also associated with the keywords and researchers were able to identify them. The attackers were also able to leverage non-hacked WordPress sites. The research blog stated, “In addition to common black hat SEO tactics, this campaign uses a very interesting (and disturbing for WordPress users) approach to spamming search engines. The configuration files contain lists of 500 random (and uncompromised) WordPress sites with the following format: http://example.com/?s=[content].” Spam pages in the search engines were then indexed.
When evaluating a Managed Detection & Response (MDR) service there are 5 critical components that