A new malicious SEO campaign has successfully compromised over 15,000 WordPress websites. The goal of the campaign is to redirect users to fake Q&A sites to increase visitor traffic.

Over 15,000 WordPress Sites Compromised

In a new black hat redirect campaign, hackers have managed to compromise over 15,000 WordPress websites to increase the search engine rank of various phony websites.

As reported in a Sucuri blog post, there has been a noticeable surge in WordPress malware redirection sites since September 2022. These redirect sites take users to fake, low-quality Q&A portals. During September and October alone, hackers were able to successfully target over 2,500 sites.

Sucuri, a security researcher, has detected 14 phony websites so far, with their servers being obscured by a proxy. The questions displayed on the sites are pulled from other, legitimate Q&A platforms. With an increased SEO ranking, these sites can reach more individuals.

Fake Q&A Sites Can Spread Malware

person touching matrix code

The fake sites used in this redirect campaign are capable of spreading malware to visitors. Unlike many malicious sites, these particular phony Q&A forums are capable of modifying over 100 infected files per site. This isn't often done, as it makes their detection and termination more likely.

In the aforementioned blog post, Sucuri stated that most of the infected files are core WordPress files, but also listed a number of files that are most commonly infected, all of which have .php extensions. The list of infected .php files is shown below:

  • ./wp-signup.php
  • ./wp-cron.php
  • ./wp-links-opml.php
  • ./wp-settings.php
  • ./wp-comments-post.php
  • ./wp-mail.php
  • ./xmlrpc.php
  • ./wp-activate.php
  • ./wp-trackback.php
  • ./wp-blog-header.php

Sucuri also highlighted that the malware was found to be present in some pseudo-legitimate file names dropped by the hackers themselves, including:

  • RVbCGlEjx6H.php
  • lfojmd.php
  • wp-newslet.php
  • wp-ver.php
  • wp-logln.php

Hackers' Breach Method May be a Vulnerable Plugin or Brute-Force

Sucuri has not yet discovered how these black hat hackers are breaching these WordPress sites, but it is thought that a vulnerable plugin or brute-force attack are the most likely culprits. Hackers may be using an exploit kit to seek out security vulnerabilities within plugins to highlight a target. Alternatively, the WordPress site admin's login password could be cracked using an algorithm in a brute-force attack.

WordPress Sites Are Common Exploit Targets

This is by no means the first time that WordPress sites have been targeted by malicious actors. Millions of WordPress sites have been compromised by cybercriminals in the past, and there's no doubt that many more will continue to fall victim to such attacks.