~11,000 sites have been infected with malware that’s good at avoiding detection

A gloved hand operates a laptop with a skull and crossbones on the display.

According to researchers, nearly 11,000 websites have been infected with a backdoor in recent months, redirecting visitors to sites that fraudulently display ads served by Google Adsense.

All 10,890 compromised sites discovered by security firm Sucuri run the WordPress content management system, with obfuscated PHP scripts inserted into legitimate files that power the website. Such files include “index.php”, “wp-signup.php”, “wp-activate.php” and “wp-cron.php”. Some infected sites also inject obfuscated code into wp-blog-header.php and other files. The additional code injected acts as a backdoor and is designed to make the malware resistant to removal attempts by loading itself into a file that is executed each time the targeted server is rebooted.

“These backdoors download additional shell and leaf PHP mailer scripts from the remote domain’s file stack.[.]It places files with random names in the wp-includes, wp-admin and wp-content directories,” writes Sucuri researcher Ben Martin. “Since the additional malware injection is inside the wp-blog-header.php file, it will be executed every time the website is loaded and will re-infect the website. It leaves the environment infected.”

mean and determined

This malware takes pains to hide its presence from operators. Redirection is broken if the visitor is logged in as an administrator, or if she has visited an infected site within the last 2 hours or 6 hours. As mentioned, the malicious code is also obfuscated using her Base64 encoding.

When the code is converted to plain text, it looks like this:

Same code when decoded.
Expanding / Same code when decoded.

juice

Similarly, the backdoor code that backdoors the site by ensuring reinfection looks like this when obfuscated:

Backdoor PHP code encoded in base64.
Expanding / Backdoor PHP code encoded in base64.

When decoded, it looks like this:

PHP backdoor when decoding.
Expanding / PHP backdoor when decoding.

juice

Massive website infections have been going on since at least September. In a post published in November that first warned people about the campaign, Martin warned:

“At this time, we have not observed any malicious behavior on these landing pages. There is likely to be.”

For now, the overall goal of the campaign seems to be to generate organic-looking traffic to websites containing Google Adsense ads.

of[.]Rafa Fedopo[.]Com ca-pub-8594790428066018
plus[.]cr halal[.]Com as-pub-3135644639015474
formula[.]Yomit[.]Com ca-pub-4083281510971702
news[.]Ishshrat[.]Com ca-pub-6439952037681188
of[.]first goal[.]Com ca-pub-5119020707824427
we[.]aly2um[.]Com ca-pub-8128055623790566
Bitcoin[.]latest article[.]Com as-pub-4205231472305856
listen[.]Elbaba[.]Com as-pub-1124263613222640
as-pub-1440562457773158

Redirects are done by Google and Bing search to avoid detection from network security tools and to make the visit look organic (that is, from a real person who is actively viewing the page). increase.

Page source indicating that the redirect is coming through Google Search.
Expanding / Page source indicating that the redirect is coming through Google Search.

juice

Our final destination is mostly Q&A sites discussing Bitcoin and other cryptocurrencies. If the redirected browser visits one of the sites, the scammer will succeed. Martin explained:

Basically, website owners place Google-approved ads on their websites and get paid for impressions and clicks. It doesn’t matter where those views or clicks come from, as long as it gives people who are paying to see your ad the impression that they are actually being seen.

Of course, due to the low-quality nature of the websites associated with this infection, organic traffic is basically not generated, so the only way traffic can be pumped is through malicious means.

In other words, unwanted redirects to fake Q&A sites via fake short URLs increase ad impressions, clicks, and revenue for the people behind this campaign. This is one of the very large and ongoing campaigns of organized ad revenue fraud.

According to Google AdSense documentation, this behavior is unacceptable and publishers must not place Google-served ads on pages that violate Google Web Search’s spam policy.

Google representatives did not respond to emails asking if Martin planned to delete the Adsense accounts he identified or if they planned to find other avenues to crack down on the scam.

It is not clear how the site got infected in the first place. In general, the most common way to infect WordPress sites is by exploiting vulnerable plugins running on your site. Martin said Sucuri has not identified any buggy plugins running on infected sites, but the exploit simplifies its ability to find various vulnerabilities that sites may have. also pointed out that kits exist.

Sucuri’s post includes instructions for website administrators to detect and remove the infection. End-her users who find themselves redirected to one of these scam sites should close the tab and do not click on any content.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *