Thousands of websites hijacked for posioned Google SEO campaign
>
Cyber criminals have launched a major malicious SEO campaign aimed at promoting obscure, low-value Q&A sites, new research shows.
A report by cybersecurity researchers Sucuri states that a unique piece of WordPress malware is central to this campaign.
According to the report, the campaign was first sighted in September 2022, when the team spotted a wave of WordPress malware redirecting the website. (opens in new tab) visitors to fake Q&A sites via ois[.]is. The purpose of the malicious redirects was to increase the authority of these Q&A sites in the eyes of search engines – and in total, nearly 15,000 websites have been affected so far.
Hundreds of infected files
What sets this campaign apart from all other malicious SEO campaigns is that the threat actors don’t really do their best to hide the malware on these sites. In fact, they do the exact opposite.
Usually, website malware infections are limited to a small number of files in order to fly under the radar. With this campaign, the average website has more than 100 infected files, which makes it somewhat unique in that regard. Typically, the malware would affect key WordPress files such as ./wp-signup.php, ./wp-cron.php, ./wp-links-opml.php, ./wp-settings.php and ./wp- comments-post.php.
However, this malware was also observed infecting malicious .php files created by other unrelated malware campaigns.
“Because the malware intertwines with WordPress’ core business, the redirect can run itself in the browsers of anyone visiting the site,” the researchers explain.
Redirects to spam websites are hardly a new approach to cybercrime, Sucuri’s researchers added. In fact, more than half (50%) of the malware the company cleared last year was SEO spam. Spam also accounts for more than a third of all malware detections from its SiteCheck tool.
That said, spam redirects in particular are not that common, with just over 13% of all SEO spam infections classified as a malicious redirect, the company concluded.
Through: BleepingComputer (opens in new tab)