Description
A new malicious campaign has compromised over 15,000 WordPress websites to redirect visitors to bogus Q&A portals.
Summary
The purpose of the search engine poisoning strategy is to increase popularity of low quality, fake Q&A sites run by the threat actor that uses the same website creation tools. These malicious redirects appear to be designed to increase the authority of the attacker”s sites for search engines.
The capacity of the hackers to alter over 100 files per website on average makes the campaign stand out in comparison to other attacks of this type, which often only alter a small number of files to minimize their impact and avoid discovery. Some of the most infected pages commonly consist of wp-signup.php, wp-cron.php, wp-links-opml.php, wp-settings.php, wp-comments-post.php, wp-mail.php, xmlrpc.php, wp-activate.php, wp-trackback.php, and wp-blog-header.php.
The malware can now carry out the redirects to any website the attacker chooses thanks to this thorough compromise. It”s important to note that the redirection won”t take place if the wordpress logged in cookie is active or if the current page is wp-login.php (the login page) to dispel any suspicions.
This campaign aims to boost the sites” authority and drive more traffic to their fake sites with fake search result clicks to let Google rank them better helping them to get more organic search traffic. The injected code accomplishes this by starting a redirect to a PNG image hosted on the domain “ois[.]is,” which, instead of loading an image, sends website visitors to a Google search result URL of a spam Q&A domain.
Incidents of Compromise
For a list of IOCs related to this malware campaign, follow the URL for related IP addresses, URLs and hashes:
https://publicwww.com/websites/%22ois.is%22/
Remediation
It”s unclear how the WordPress websites are compromised right now, as researchers claimed it did not find any obvious plugin issues being used in the campaign.
This presents it to be a suspected issue related to the work of brute-forcing the WordPress administrator accounts, it is of utmost importance that users enable two-factor authentication and ensure that all software is up to date.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Thousands of WordPress Sites Compromised.pdf
References
Martin B. (2022, November 8). Massive ois[.]is Black Hat Redirect Malware Campaign. Reviewed from Sucuri:
https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html#mitigation
Lakshmanan, R (2022, November 14). Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign. Reviewed from HackerNews:
https://thehackernews.com/2022/11/over-15000-wordpress-sites-compromised.html