
According to researchers, nearly 11,000 websites have been infected with a backdoor in recent months, redirecting visitors to sites that fraudulently display ads served by Google Adsense.
All 10,890 compromised sites discovered by security firm Sucuri run the WordPress content management system, with obfuscated PHP scripts inserted into legitimate files that power the website. Such files include “index.php”, “wp-signup.php”, “wp-activate.php” and “wp-cron.php”. Some infected sites also inject obfuscated code into wp-blog-header.php and other files. The additional code injected acts as a backdoor and is designed to make the malware resistant to removal attempts by loading itself into a file that is executed each time the targeted server is rebooted.
“These backdoors download additional shell and leaf PHP mailer scripts from the remote domain’s file stack.[.]It places files with random names in the wp-includes, wp-admin and wp-content directories,” writes Sucuri researcher Ben Martin. “Since the additional malware injection is inside the wp-blog-header.php file, it will be executed every time the website is loaded and will re-infect the website. It leaves the environment infected.”
mean and determined
This malware takes pains to hide its presence from operators. Redirection is broken if the visitor is logged in as an administrator, or if she has visited an infected site within the last 2 hours or 6 hours. As mentioned, the malicious code is also obfuscated using her Base64 encoding.

When the code is converted to plain text, it looks like this:

juice
Similarly, the backdoor code that backdoors the site by ensuring reinfection looks like this when obfuscated:

When decoded, it looks like this:

juice
Massive website infections have been going on since at least September. In a post published in November that first warned people about the campaign, Martin warned:
“At this time, we have not observed any malicious behavior on these landing pages. There is likely to be.”
For now, the overall goal of the campaign seems to be to generate organic-looking traffic to websites containing Google Adsense ads.
| of[.]Rafa Fedopo[.]Com | ca-pub-8594790428066018 |
| plus[.]cr halal[.]Com | as-pub-3135644639015474 |
| formula[.]Yomit[.]Com | ca-pub-4083281510971702 |
| news[.]Ishshrat[.]Com | ca-pub-6439952037681188 |
| of[.]first goal[.]Com | ca-pub-5119020707824427 |
| we[.]aly2um[.]Com | ca-pub-8128055623790566 |
| Bitcoin[.]latest article[.]Com | as-pub-4205231472305856 |
| listen[.]Elbaba[.]Com | as-pub-1124263613222640 as-pub-1440562457773158 |
Redirects are done by Google and Bing search to avoid detection from network security tools and to make the visit look organic (that is, from a real person who is actively viewing the page). increase.

juice
Our final destination is mostly Q&A sites discussing Bitcoin and other cryptocurrencies. If the redirected browser visits one of the sites, the scammer will succeed. Martin explained:
Basically, website owners place Google-approved ads on their websites and get paid for impressions and clicks. It doesn’t matter where those views or clicks come from, as long as it gives people who are paying to see your ad the impression that they are actually being seen.
Of course, due to the low-quality nature of the websites associated with this infection, organic traffic is basically not generated, so the only way traffic can be pumped is through malicious means.
In other words, unwanted redirects to fake Q&A sites via fake short URLs increase ad impressions, clicks, and revenue for the people behind this campaign. This is one of the very large and ongoing campaigns of organized ad revenue fraud.
According to Google AdSense documentation, this behavior is unacceptable and publishers must not place Google-served ads on pages that violate Google Web Search’s spam policy.
Google representatives did not respond to emails asking if Martin planned to delete the Adsense accounts he identified or if they planned to find other avenues to crack down on the scam.
It is not clear how the site got infected in the first place. In general, the most common way to infect WordPress sites is by exploiting vulnerable plugins running on your site. Martin said Sucuri has not identified any buggy plugins running on infected sites, but the exploit simplifies its ability to find various vulnerabilities that sites may have. also pointed out that kits exist.
Sucuri’s post includes instructions for website administrators to detect and remove the infection. End-her users who find themselves redirected to one of these scam sites should close the tab and do not click on any content.