Tuesday, June 18, 2024

10,890 WordPress Sites Hacked for a Massive AdSense Fraud Campaign

The cybersecurity researchers at Sucuri recently discovered a critical backdoor that has managed to infiltrate thousands of websites over the past few months.

A group of threat actors who are responsible for a malware campaign called “black hat redirect” has increased the scope of their operation by incorporating more than 70 fake domains that imitate URL shortening services. 

The attackers have managed to infect a significant number of websites with this malware, with the current count surpassing 10,890.

Visitors are Being Directed to Hacked Sites

The primary goal of the operation remains ad fraud, which involves the use of illicit techniques to artificially boost the volume of traffic to web pages featuring AdSense IDs and Google ads. This activity is carried out with the intent of generating revenue through fraudulent means.

Recently, various Google products such as Google Ads, Google Home, and Google Drive have been used to disseminate malware and other harmful components. This has been confirmed as a factual occurrence and has raised concerns about the security and safety of these products.

GoDaddy’s subsidiary company first revealed the malicious activity in November 2022, after the company was acquired by the GoDaddy corporation.

This campaign began in September last year and is redirecting visitors to compromised WordPress sites to fake question-and-answer portals. This is a potential threat to the security and privacy of individuals who may unknowingly disclose sensitive information.

Apparently, this aims to increase the authority of spammy sites in search engines so that they will appear higher in search results.

Similar to the previous malware attack, it has been observed that the latest wave of malware is also attempting to redirect internet traffic through Google searches. By doing so, the attackers aim to make the redirected traffic occur legit.

Abusing URL Shorteners

Sucuri detected that all of the infected websites were using the WordPress content management system. As a result of this, legitimate files on the websites had been corrupted with an obfuscated PHP script.

The latest campaign has a significant feature that sets it apart from previous ones. In their redirects, it makes use of Bing search result links, Twitter’s link shortener service, and Google as well.

The campaign’s utilization of these services suggests a strategic move to evade detection by security measures. This indicates an expansion of the threat actor’s footprint.

Attack Analysis

Sucuri researchers have recently discovered more than 75 pseudo-short URL domains that are associated with redirected traffic. This discovery has been made over the course of the last two months.

It is important to highlight that the majority of malicious URLs discovered are linked to a single URL-shortening service. All the low-quality Question2Answer websites are completely related to cryptocurrency or blockchain technology.

It has been suggested that these advertisements may be part of an intentional pump-and-dump ICO fraud where new cryptocurrencies are advertised.

Despite the lack of conclusive evidence, researchers are confident that the main aim of ad fraud is to artificially boost website traffic in order to display Google ads and generate revenue through AdSense ID.

These malicious websites have been known to inject obfuscated code into critical files, such as wp-blog-header.php. This code can cause harm by manipulating the behavior of the affected website and potentially compromising the security of its users.

In order to ensure that the malware is not detected and disinfected, this code acts as a backdoor. In an effort to conceal itself, the malware adopts the strategy of pausing redirections for a period of 2 to 6 hours whenever an administrator logs in or a user visits an infected site. 

This makes it difficult for website administrators to detect the presence of the malware, as its activity is temporarily suspended during these instances. In order to hide the malicious code, Base64 encoding is used.

AdSense IDs Used

Here below we have mentioned all the AdSense IDs that are used on the websites that are infected:-

  • en[.]rawafedpor[.]com: ca-pub-8594790428066018
  • plus[.]cr-halal[.]com: ca-pub-3135644639015474
  • eq[.]yomeat[.]com: ca-pub-4083281510971702
  • news[.]istisharaat[.]com: ca-pub-6439952037681188
  • en[.]firstgooal[.]com: ca-pub-5119020707824427
  • ust[.]aly2um[.]com: ca-pub-8128055623790566
  • btc[.]latest-articles[.]com: ca-pub-4205231472305856
  • ask[.]elbwaba[.]com: ca-pub-1124263613222640, ca-pub-1440562457773158


Here below we have mentioned all the mitigations recommended by the experts to the website owners:-

  • Ensure that all software is updated to the most recent version and make sure it is patched.
  • Ensure that the admin area of your WordPress website has 2FA security or other access restrictions.
  • Immediately change all the panel and database passwords.
  • Make sure to use strong and unique passwords with several variations.
  • Protect your website against attacks by placing it behind a firewall.

Network Security Checklist – Download Free E-Book


Latest articles

Singapore Police Arrested Two Individuals Involved in Hacking Android Devices

The Singapore Police Force (SPF) has arrested two men, aged 26 and 47, for...

CISA Conducts First-Ever Tabletop Exercise Focused on AI Cyber Incident Response

On June 13, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) made history by...

Europol Taken Down 13 Websites Linked to Terrorist Operations

Europol and law enforcement agencies from ten countries have taken down 13 websites linked...

New ARM ‘TIKTAG’ Attack Impacts Google Chrome, Linux Systems

Memory corruption lets attackers hijack control flow, execute code, elevate privileges, and leak data.ARM's...

Operation Celestial Force Employing Android And Windows Malware To Attack Indian Users

A Pakistani threat actor group, Cosmic Leopard, has been conducting a multi-year cyber espionage...

Hunt3r Kill3rs Group claims they Infiltrated Schneider Electric Systems in Germany

The notorious cybercriminal group Hunt3r Kill3rs has claimed responsibility for infiltrating Schneider Electric's systems...

Hackers Employing New Techniques To Attack Docker API

Attackers behind Spinning YARN launched a new cryptojacking campaign targeting publicly exposed Docker Engine...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles