View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 15, 2023

Malware infects more than 14,000 WordPress sites

The victims find themselves re-routed to a bogus Q&A website filled with malicious files.

By Claudia Glover

More than 14,000 WordPress users have seen their systems infected with malware that places fraudulent adverts on their sites, redirecting victims to fake question-and-answer pages. The malicious redirects appear to be designed to improve the search engine optimisation (SEO) of the attacker’s sites, so that they are more prominent on Google.

Malvertising campaign targets up to 15,000 sites. (Photo by Primakov/Shutterstock)

Victims are redirected to sites that contain huge amounts of infected files, according to a new report released by cybersecurity company Securi. It found 20,000 infected files across 2,500 sites during September and October alone. 

Malvertising campaign infects 15,000 sites

It is unclear how the malware is injected into the WordPress systems, but once activated it works by exploiting URL-shortening websites like bit.ly which feature in the Google AdSense adverts served up on many sites. The truncated URL will redirect to the wrong place, in this case to a bogus Q&A site. 

Once the malware has been clicked on it then hijacks the new site and takes advantage of the resources within it, like website traffic and rankings. “Attackers are often found promoting spam for pharma, easy writing services, knock-off products or, in this case, fake Q&A sites,” states the report. 

The promotion of fake Q&A websites, examples of which are relics of the internet such as search portals Ask Jeeves and Quora, is what sets this campaign apart from the rest. 

By redirecting to these fake sites, the attackers appear to be trying to build the SEO authority of their pages on Google, “which is probably why attackers are using Google search result links in their redirects,” states the report. This technique has been deemed ‘black hat SEO’.

Why WordPress is particularly affected

The most commonly affected files in the campaign are WordPress files. “The malware intertwines itself with the core operations of WordPress,” continues the report. “The redirect can execute itself in the browsers of whoever visits the site.” 

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Looking at the most targeted files, this technique appears dangerous. The most commonly infected files are wp-settings.php, wp-mail.php and at the top of the list, wp-signup.php, files which, if infected will provide huge amounts of access to the online infrastructures of whatever company has been infected.

These redirects are incredibly common. More than 50% of the malware Sucuri cleaned last year was SEO spam. “Furthermore, spam accounted for over one-third of all [our] malware detections,” reads the report. 

Malvertising is a growing problem

This is not the first time so-called malvertising – using fake adverts to convince users to click malicious links – has targeted WordPress sites. In 2019 the malware WP-VCD spread through pirated versions of WordPress themes and plugins that attackers had distributed through a network of rogue sites, states a report from Sophos Naked Security. 

In fact, malvertising on Google is a growing problem. Research from ad-tech company PubLift claims one in every 100 adverts online is smuggling malicious content. “Legitimate websites need to stay on top of the threats on both the supply and demand side in order to counter these potentially crippling malvertising attacks,” the report says.

Read more: ChatGPT could help hackers design new malware

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU