More than 14,000 WordPress users have seen their systems infected with malware that places fraudulent adverts on their sites, redirecting victims to fake question-and-answer pages. The malicious redirects appear to be designed to improve the search engine optimisation (SEO) of the attacker’s sites, so that they are more prominent on Google.
Victims are redirected to sites that contain huge amounts of infected files, according to a new report released by cybersecurity company Securi. It found 20,000 infected files across 2,500 sites during September and October alone.
Malvertising campaign infects 15,000 sites
It is unclear how the malware is injected into the WordPress systems, but once activated it works by exploiting URL-shortening websites like bit.ly which feature in the Google AdSense adverts served up on many sites. The truncated URL will redirect to the wrong place, in this case to a bogus Q&A site.
Once the malware has been clicked on it then hijacks the new site and takes advantage of the resources within it, like website traffic and rankings. “Attackers are often found promoting spam for pharma, easy writing services, knock-off products or, in this case, fake Q&A sites,” states the report.
The promotion of fake Q&A websites, examples of which are relics of the internet such as search portals Ask Jeeves and Quora, is what sets this campaign apart from the rest.
By redirecting to these fake sites, the attackers appear to be trying to build the SEO authority of their pages on Google, “which is probably why attackers are using Google search result links in their redirects,” states the report. This technique has been deemed ‘black hat SEO’.
Why WordPress is particularly affected
The most commonly affected files in the campaign are WordPress files. “The malware intertwines itself with the core operations of WordPress,” continues the report. “The redirect can execute itself in the browsers of whoever visits the site.”
Looking at the most targeted files, this technique appears dangerous. The most commonly infected files are wp-settings.php, wp-mail.php and at the top of the list, wp-signup.php, files which, if infected will provide huge amounts of access to the online infrastructures of whatever company has been infected.
These redirects are incredibly common. More than 50% of the malware Sucuri cleaned last year was SEO spam. “Furthermore, spam accounted for over one-third of all [our] malware detections,” reads the report.
Malvertising is a growing problem
This is not the first time so-called malvertising – using fake adverts to convince users to click malicious links – has targeted WordPress sites. In 2019 the malware WP-VCD spread through pirated versions of WordPress themes and plugins that attackers had distributed through a network of rogue sites, states a report from Sophos Naked Security.
In fact, malvertising on Google is a growing problem. Research from ad-tech company PubLift claims one in every 100 adverts online is smuggling malicious content. “Legitimate websites need to stay on top of the threats on both the supply and demand side in order to counter these potentially crippling malvertising attacks,” the report says.