HQ/EMEAFind out how we can help your business
Threat actors have launched a wide-scale search engine optimisation (SEO) poisoning campaign in Google, hacking about 15,000 websites to redirect users to fake discussion forums. This campaign aims to generate indexed pages to boost the malicious forums’ websites and rank higher in search engines.
The SEO poisoning campaign has been priming the compromised websites for future use, including turning them into phishing sites or malware-dropping channels.
It is also likely that the operators plan to conduct advertisement fraud using the hacked sites based on a discovered ‘ads[.]txt’ file inside the landing pages.
As most of the hacked sites were hosted by WordPress, researchers shared that the hackers are modifying WordPress PHP files to inject the site redirection processes into the malicious discussion forums. Some instances also show attackers dropping a unique PHP file on the targeted site via random or pseudo-legitimate file names.
A malicious code is stored in the infected files, which is tasked to check if the website visitor is logged in to a WordPress account. If they are not, the code redirects them to a site containing a PNG image file that will also redirect them to a final destination page – the malicious discussion forum site.
Experts explained that the PNG image file uses the ‘window.location.href’ function that helps redirect visitors to one of the targeted domains, including en.w4ksa[.]com, peace.yomeat[.]com, and qa.bb7r[.]com, among many others.
This process will allow the threat operators to index the malicious forum site in Google to make it seem popular and frequently visited. The higher ranking in Google would also make the traffic look legitimate, allowing them to bypass security detections.
Moreover, the threat operators were excluding logged-in users of WordPress and those within ‘wp-login.php’ to avoid redirecting a site admin that could result in raising suspicion about the Google SEO poisoning campaign.
Several attempts were made to discover which threat group is behind this Google SEO poisoning campaign, although it is tricky since most sites hide the servers in Cloudflare. Nonetheless, the researchers believe that the same operators likely control it since all sites use the same website-building templates and are generated by automated tools.
Given that the campaign has mostly victimised WordPress-hosted sites, admins are advised to update their plugins to the latest patch versions and activate multi-factor authentication (MFA).
