A shrewd malware built for SEO injection – where a black hat loads up a site page with malicious connections, redirects users and incorporates ad keywords, unbeknownst to the site proprietor – has been seen dodging detection with an inventive methodology that includes annexing itself in a bizarre place in the back-end code of a WordPress site.
Scientists at Sucuri, a private cybersecurity agency have discovered the malware manifest in two unrelated sites lately, targeting both English- and Korean-speaking searchers who are searching for different “free” downloads.
Upon examination, the analysts found that the malware has two functions. First, it can add shrouded links for indexing via search engines (a procedure that violates search engine terms and conditions and could result in the website getting blacklisted); and besides, it can redirect web users to spam content.
The other function is more developed than expected, in light of the fact that it only redirects unregistered site users (presumably one-time guests who wouldn’t signal the issue to the website admin). And, it redirects clients to specific pages depending on their profile.
Along these lines, cybercriminals can infuse SEO terms – concealed from website clients – into the site page’s code, which will be indexed and will move the website up in the search engine results pages (SERPs). This enhances the exposure for the genuine reason of the campaign, which is to redirect users to phony destinations, which could be ultimately carrying out promotion extortion or serving malware, in addition to other crimes.
A Savvy Approach
Ordinarily, SEO injection includes either infusing HTML code for concealed components in theme files or injecting counterfeit spam posts in the WordPress database, as indicated by Sucuri – and in the two cases, the injection is easy to discover with either a file search or a keyword search inside WordPress.
“Infections are usually found via a simple file search for the terms attackers inject on the page,” the researchers explained in a Monday posting. “Did you find SEO spam for luxury handbags on your site? Search your files for that term and bang, there it is.” From there, site owners can simply delete the rogue content and then submit the site for blacklist review/SEO reindexing.
For this situation, the malware makes a special vault in the site’s database to store spam content and data about signed in guests; in this way, rather than simply uploading spam posts into the dashboard, these use an alternate prefix from authentic WordPress content. That implies the posts won’t load or appear on a site’s administrator dashboard.
At the point when a guest visits the site, the malware then commandeers the normal WordPress database connection that occurs when loading a page, and redirects the connection to a shrouded territory to fetch links to the spam posts. It then annexes these links to the legitimate content before sending it back to the visitor’s browser.
“The attacker was smart enough to return the database connection to the default tables before handing back the control so WordPress’ default flow can proceed ‘normally,’” researchers explained. “The injected links are invisible to human visitors, but search engines crawl and index them and they become search results.”
“[For instance], a request to the hacker-controlled my-game[.]biz site is made to fetch additional customized code based on the visitors IP address, referrer and browser’s User-Agent string,” Sucuri explained.
It likewise adds the SEO spam directly after closing the HTML tag, making it effectively harder to discover the malware.
“After some extensive searches, we noticed a suspicious code block on the theme’s functions.php file loading content from the WordPress’s wp_options table,” the researchers noted. “The code itself looks suspicious, as it silently executes part of the content fetched from the database. On top of that, it loads a theme_css option, which is not how CSS is usually loaded on a typical WordPress theme. Searching the database for that option, we found the malware itself.”
While Sucuri itself discovered two explicit samples in the wild, it played out a PublicWWW search (a search engine that crawls source code) and revealed 173 hacked sites with the malware installed.
“Hacked sites affected by this kind of black hat SEO campaign can get links from around a thousand sites overnight,” the researchers said.
Site proprietors should complete more than a search to tidy up the infection: They’ll have to discover and expel the malignant code from the theme’s functions.php, Sucuri noted; and then, find and evacuate the themes CSS option, which may have been given an irregular name. Lastly, administrators should check their WordPress database for tables with obscure prefixes.