Thousands of websites hijacked for posioned Google SEO campaign

An image of security icons for a network encircling a digital blue earth.
(Image credit: Shutterstock)

Cybercriminals have launched a major malicious SEO campaign with the goal of promoting obscure, low-quality Q&A sites, new research has found. 

A report from cybersecurity researchers Sucuri states that a unique piece of WordPress malware sits at the center of this campaign.

According to the report, the campaign was first observed in September 2022, when the team spotted a surge in WordPress malware that was redirecting website visitors to fake Q&A sites via ois[.]is. The goal of the malicious redirects was to boost the authority of these Q&A sites in the eyes of search engines - and in total, almost 15,000 websites have been affected, so far.

Hundreds of infected files

What makes this campaign stand out from all the other malicious SEO campaigns is that the threat actors aren’t really trying hard to hide the malware on these sites. In fact, they’re doing the exact opposite. 

Usually, website malware infections limit themselves to a small number of files, to be able to fly under the radar. With this campaign, the average website has more than 100 infected files, making it somewhat unique in that respect. Most commonly, the malware would affect core WordPress files, such as ./wp-signup.php, ./wp-cron.php, ./wp-links-opml.php, ./wp-settings.php, and ./wp-comments-post.php. 

However, this malware was also observed infecting malicious .php files created by other unrelated malware campaigns, as well.

“Since the malware intertwines itself with the core operations of WordPress the redirect is able to execute itself in the browsers of whoever visits the site,” the researchers explained.

Redirects to spam websites are hardly a novel approach to cybercrime, Sucuri’s researchers added. In fact, more than half (50%) of the malware the company cleaned up last year was SEO spam. Also, spam takes up more than a third of all malware detections from its SiteCheck tool. 

“That said, spam redirects in particular are not as common with just over 13% of all SEO spam infections classified as a malicious redirect,” the company concluded.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.