A new cybercrime gang has been seen taking over vulnerable WordPress sites to instal hidden e-commerce stores with the aim of hijacking the original site search engine ranking and reputation and promoting online scams.
Attacks were discovered earlier this month targeting a WordPress honeypot set up and managed by Larry Cashdollar, a security researcher on the Akamai Security Team.
The attackers used brute-force attacks to gain access to the site’s admin account, after which they overwrote the WordPress site’s main index file and appended the malicious code.
While the code was heavily blurred, Cashdollar said the primary role of the malware was to act as a proxy and redirect all incoming traffic to a remote command-and-control (C&C) server managed by hackers.
It was on this server where the entire “business logic” of the attacks took place. According to Cashdollar, a typical attack would go as follows:
- User visits hacked WordPress site.
- The hacked WordPress site redirects a request from the user to the malware’s C&C server.
- If a user meets certain criteria, the C&C server tells the site to reply with an HTML file containing an online store peddling a wide variety of mundane objects.
- Instead of the original site the user wished to view. The hacked site responds to the user’s request with a scammy online store.
Cashdollar said that the attackers hosted over 7,000 e-commerce stores during the time the hackers had access to his honeypot, which they intended to serve incoming visitors.
Intruders poisoned the Sites XML Sitemap
In addition, the Akamai researchers said the hackers also generated XML sitemaps for the hacked WordPress sites. That contained entries for the fake online stores together with the site’s authentic pages.
The attackers generated the sitemaps, submitted them to Google’s search engine, and then deleted the sitemap to avoid detection.
While this procedure looked pretty harmless. It actually had a pretty big impact on the WordPress site. Because it ended up poisoning its keywords with unrelated and scammy entries. That lowered the website’s search engine results page (SERP) ranking.
Cashdollar now believes that this kind of malware could be used for SEO extortion schemes. Where criminal groups intentionally poison a site’s SERP ranking and then ask for a ransom to revert the effects.
“This makes them a low-barrier attack for criminals to pull off, as they only need a few compromised hosts to get started,” Cashdollar said. “Given that there are hundreds of thousands of abandoned WordPress installations online. And millions more with outdated plug-ins or weak credentials, the potential victim pool is massive.”
You may also like: