Malicious SEO Campaign Compromises More Than 15,000 WordPress Websites

A recent black hat SEO campaign has redirected thousands of websites to spam portals.

Sucuri Tracks Down Malicious SEO Campaign

Sucuri, an established web security service provider, has tracked down a malicious search engine optimization (SEO) campaign that used black hat strategies to carry out its attack. Sucuri’s Ben Martin reported that this black hat SEO campaign has already compromised more than 15,000 WordPress websites. 

How did the attackers compromise the WordPress websites?

The attackers carried out their black hat SEO campaign by redirecting the visitors of over 15,000 WordPress websites to fraudulent, low-quality Q&A sites. The spam Q&A websites are owned by the attackers, and their main purpose was to increase the domain authority of these fraudulent sites.   

Each compromised website was infected with 20,000 files that were used to execute the malicious SEO campaign. The hackers targeted common WordPress PHP files, modifying the likes of wp-singup.php, wp-cron.php, wp-settings.php, wp-mail.php, wp-cron.php, and wp-blog-header.php. By modifying these PHP files, the hackers were able to implant the redirects to their spam websites.

How many spam websites did the attackers have?

According to Sucuri, the attackers redirected visitors to the 14 spam websites they own. These spam Q&A sites include scraped question-and-answer columns, with most portions talking about cryptocurrency and finance. Interestingly, Sucuri reiterated that they haven’t detected any malicious activities in the attackers’ spam websites. But if this black hat SEO campaign continues, the attackers may opt to use their current spam sites as a way to redirect visitors to other malicious websites. Moreover, the attackers might also be conditioning their spam sites to conduct a phishing campaign or be an instrument for advertising fraud.      

The attackers hid their servers in a CloudFare proxy, and while it’s difficult to know who the perpetrators are, Sucuri researchers believe that there is just one group responsible for this malicious SEO campaign.

What are Malicious Redirects?

To put it in very simple terms, a malicious redirect is a script or code that redirects a website visitor to another site. You might have encountered this before — you click on a link and it directed you to another site that looks shady or nothing resembling the website you intended to visit. Malicious redirects are typically used by hackers to generate more traffic to their websites and gain more advertising revenue as a result. 

If you’re a website owner, these malicious redirects could harm your brand and lose customers in the process. Some hackers might use malicious redirects to start a phishing campaign, sell fake products and services, or infect devices with malware. 

Having said that, it is important to remove malicious redirects from your website to protect you and your site visitors from further harm.

Tips on Removing Malicious Redirects From Your Website

If you find out that your website has been infected with malicious redirects, you can do these things to help remove malware from your site’s system.

Do a manual cleanup

If you’re planning to manually remove malware, the first thing you need to do is back up your files so still have the option to restore your site to its original settings. In the case of malicious redirects, you have to clean up your site’s plugin files and themes, remove or optimize the cache, and reinstall your core files. Just make sure that you know the ins and outs of a WordPress website before doing a manual cleanup.

Use a security plugin

You can also check which security plugins you can use to remove the malicious redirects on your website. There are tons out there – just carefully evaluate if the plugins are from reliable and legitimate channels.

‍

Protect Your Website From Malicious Redirects

Rather than waiting for malicious redirects to hit your website, it’s still better to avoid it at all costs. You can do this by updating your always updating your plugins and CMS, and regularly using a malware scanner to check your site for any system irregularities.

‍