Akamai Specialist Larry Cashdollar discovered a hacker group that is using hacked WordPress sites in a very interesting way. Firstly, hackers run fraudulent online stores over these resources. Secondly, they poison XML maps to influence search results.
The attackers use brute force attacks to gain access to the site administrator account, after which they overwrite the main index file of the WordPress site and add malicious code to it.
Although this code was heavily obfuscated, Cashdollar writes that the main role of this malware was to act as a proxy and redirect all incoming traffic from hacked sites to a remote server of criminals. It was on this server that the most interesting thing happened. A typical attack looked like this:
- the user visits the hacked WordPress site;
- if the user meets certain criteria, the hacker's server tells the site to respond to the visitor with an HTML file with a fraudulent online store selling a wide range of goods;
- The hacked site responds to the user's request by showing a fraudulent store instead of the original site the user intended to view.
hacked site redirects user request to malware control server;
According to the expert, by that time By the time the hackers got to his decoy server, they had already launched over 7,000 of these fake stores.
In addition, the hackers generated XML maps for the hacked resource ov, which contained records of fraudulent online stores along with authentic pages of the site. The attackers created such maps, “feed” them to the Google search engine, and then removed the maps from sites to avoid detection.
Although this procedure looks harmless, it actually had a great impact on affected sites. The fact is that in the end, such XML maps significantly reduced the rankings of resources in search results. According to Cashdollar, such malware can be used for SEO-related extortion. For example, criminals deliberately lower the ranking of a site in search results, and then ask its owners for a ransom in order to eliminate the consequences of the attack and “return everything as it was.”