The attackers behind the black hat redirect malware campaign scaled the campaign up to infect over 10,800 websites using over 70 fake domains mimicking URL shortening services.
Sucuri researcher Ben Martin said in a report published last week, “The primary goal is an ad scam to generate revenue by artificially inflating traffic to pages containing AdSense IDs, including Google Ads. ‘ said.
Details of the malicious activity were first made public by the GoDaddy-owned company in November 2022.
The campaign, which is said to have been active since last September, is designed to redirect visitors to a compromised WordPress site to a fake Q&A portal. The purpose appears to be to increase the authority of spam sites in search engine results.
Sucuri said at the time, “These bad guys were probably just trying to convince Google that real people from different IPs, using different browsers, were clicking on search results.” There is potential,” he said. “This technique artificially sends a signal to Google that these pages are performing well in search.”
Bing’s search results links and Twitter’s link shortening feature (t[.]co) service was included in redirects along with Google, indicating a growing attacker footprint.
It also uses fake shortened URL domains masquerading as common URL shorteners such as Bitly, Cuttly, and ShortURL, but actually directs visitors to sketchy Q&A sites.
According to Sucuri, the redirect landed on a Q&A site discussing blockchain and cryptocurrencies, whose URL domain is now hosted at DDoS-Guard. DDoS-Guard is a Russian internet infrastructure his provider that has been put under scanners to provide bulletproof hosting services.
“Unnecessary redirects to fake Q&A sites via fake short URLs increase ad impressions, clicks, and revenue for the people behind this campaign,” said Martin. I will explain. “This is him one of a very large and ongoing campaign of coordinated ad revenue fraud.”
It is not known exactly how WordPress sites get infected in the first place. However, once a website is compromised, attackers can inject backdoor PHP code to allow persistent remote access and redirect of site visitors.
“Since the additional malware injection is in the wp-blog-header.php file, it will be executed every time the website is loaded, re-infecting the website,” said Martin. “This will leave the environment infected until all traces of malware are dealt with.”
