Recently, the cybersecurity researchers of Sucuri have found that threat actors are conducting a tremendous massive black hat search engine optimization (SEO) campaign.
However, nearly 15,000 websites redirected visitors to participate in fake Q&A discussion forums in this campaign. Over the course of September and October, the SiteCheck scanner of Sucuri detected over 2,500 redirects to other sites.
Not only this, but the experts have also stated that each and every compromised site contains nearly 20,000 files. All these files were being used as a part of the malicious campaign, which was being carried out by the threat actors, and most of the sites were WordPress.
Malicious ois[.]is Redirects
According to the securi report, After detecting the malware, the experts conducted a brief survey and found that some of the website’s malware infections generally limit themselves to a smaller number of files.
Not only this, but they also limit their footprint so that they can avoid detection and carry out their operations properly.
A website infected with this malware will, on average, have over 100 files infected; that’s why this malware is completely different from others.
Common Infected Files
This malware is most commonly found infecting core files of WordPress, and it has also been found to infect “.php” files that were created by unrelated malware campaigns.
The following is a list of the top 10 most commonly infected files:-
- ./wp-signup.php
- ./wp-cron.php
- ./wp-links-opml.php
- ./wp-settings.php
- ./wp-comments-post.php
- ./wp-mail.php
- ./xmlrpc.php
- ./wp-activate.php
- ./wp-trackback.php
- ./wp-blog-header.php
Domains Targeted
The domain that has been targeted in this malicious campaign are listed below:-
- en.w4ksa[.]com
- peace.yomeat[.]com
- qa.bb7r[.]com
- en.ajeel[.]store
- qa.istisharaat[.]com
- en.photolovegirl[.]com
- en.poxnel[.]com
- qa.tadalafilhot[.]com
- questions.rawafedpor[.]com
- qa.elbwaba[.]com
- questions.firstgooal[.]com
- qa.cr-halal[.]com
- qa.aly2um[.]com
Targeting WordPress Sites
The hackers are injecting redirects to the fake Q&A forums by altering WordPress PHP files, such as:-
- wp-singup.php
- wp-cron.php
- wp-settings.php
- wp-mail.php
In order to achieve their objectives, attackers commonly use the technique of dropping their own PHP files onto the target site. While the attackers usually use a file name that looks legitimate, for instance:-
- wp-logln.php
A malicious file infected or injected into a WordPress site contains malicious code that checks if the visitor is logged in to WordPress or not. If they are logged in, then it redirects them to the hxxps://ois[.]is/images/logo.png URL.
Unlike other URLs, this URL will not send an image to the browser in order to redirect the user to the promoted Q&A website but instead will load JavaScript that redirects them to a Google search click activity to the promoted Q&A website.
The spam sites that the attackers are using for the purpose of building their spam sites consist of a lot of random questions and answers that have been scraped from other Q&A sites in order to populate the spam sites with content.
Many of the stories revolve around cryptocurrencies and financial themes, which makes them based on the same concepts.
Methods of Mitigation
There had been no obvious exploit that appears to be associated with this spam campaign that exploits a single plugin vulnerability.
It is common for attackers to use exploit kits to probe for vulnerabilities in any common components of the software that are vulnerable.
Furthermore, it is likely that the compromised wp-admin administrator panels are also the source of the compromise of websites.
In this regard, it is highly recommended that you set up 2FA or some other type of access restriction within your wp-admin panel in order to ensure your security.
It is likely that all of the sites belong to the same threat actor since they use similar website-building templates. Not only this, but they all seem to have been generated by automated tools, making it quite likely that the same group of hackers generated them.
While till now it’s not yet clear how the threat actors were able to breach the websites used for redirections. So, in order to protect your website from attacks, you can place it behind a firewall.
Network Security Checklist – Download Free E-Book
