Hackers conducted  a massive campaign utilizing Search engine Optimization (SEO) tools to compromise close to 15,000 websites.  Affected websites took visitors to fake Q&A discussion forums.  Security firm Securi was the first to identify the afflicted websites, and they detected that compromised sites contains approximately 20,000 files used as part of the search engine spam campaign, most of which were using WordPress based platforms.

Researchers believe the hacking group targeted websites in an attempt to generate enough indexed pages to their fake Q&A websites searchability on popular search engines, leading more people to the hacker’s fake websites instead of the legitimate one’s. Once the hacking groups fake websites gained enough traction on search engines, they could use them as platforms to drop malware, or use in phishing campaigns.  With enough traffic to these various infected pages, it is also possible the hacking group may have wanted to drive this traffic to conduct ad fraud.

WordPress is a popular target for many hackers, and Securi researchers found several PHP files such as wp-signup.php, wp-cron.php, wp-mail.php and more which were targeted to inject the redirects to the fake Q&A discussions forums.  Sometimes the attackers used rando or near-legitimate file names like ‘wp-logln.php’ to try to fool site visitors.

Hackers use of Google search click URL enables better performance metrics on the URLs in the Google Index to make it appear as if the sites are more popular, increasing their search rankings.  Redirecting through Google search click URLs makes the traffic look more real as well, potentially fooling some security systems.

Securi could not identify how the threat actors breached the websites used for the various redirects.  However it likely happens by exploiting a vulnerable plugin or brute-force guessing the websites WordPress admin password.  Securi recommends that anyone running a WordPress based website updates all plug-in’s, and ensure two-factor authentication (2FA) on admin accounts.

How To Defend Yourself from Fraudulent Websites

There are various tools that you can use to protect yourself when browsing online.  You can use various plug-in’s which can help block infected websites, pop-up’s, or infected websites.  It’s also good practice to ensure your browser is updated, and any anti-virus software is running with the latest installed updates.

Some usefull plug in’s that can help you stay protected while browsing the web include:

Ghostery – This is a free open-source privacy and security browser extension.  Ghostery monitors different web servers are being called from web pages, and matches them with a library of data collection tools to ensure they are safe.

Ad-Blocker Pro – Although Ad Blockers are popular among many web browsers, having some form of ad-blocking is necessary.  This can be either Ad-Blocker Pro, or Ublock Origin, or the Ad Blocker of your choice.  Ad Blockers not only prevent annoying ad’s from overwhelming your browsing experience, but they may also help prevent infection by blocking potentially infected ads from displaying in your browser.

Web of Trust -  This plug-in is an online reputation and internet safety service which shows indicators of trust about existing websites the user visits.  The confidence level is based both on user ratings and on third part malware, phishing, scam and spam blacklists.

The above plug-in’s are free to use and easily available through many browsers webstore’s.  By using secure plug-in’s, keeping your browser updated, and running current anti-virus software you can help increase the overall security of your own computer and that of your teams.

Natural Networks is a managed IT services provider, and we work to ensure a fully secure environment for the organizations we partner with.  If you want to learn more about how Natural Networks can manage your IT security, give us a call today!