Your Ranking Just Became a Target
A new cybercrime gang has been seen taking over vulnerable WordPress sites to install hidden e-commerce stores with the purpose of hijacking the original site’s search engine ranking and reputation and promote online scams.
Like many of you, I’m a small business and invest a lot in my online presence. I use all the proper and tested security features available to me. But this is something ingenious. It’s not ransomware per se, it’s ransomeware+.
And it goes like this:
The attackers leveraged brute-force attacks to gain access to the site’s admin account, after which they overwrote the WordPress site’s main index file and appended malicious code.
While the code was heavily obfuscated, Cashdollar said the malware’s primary role was to act as a proxy and redirect all incoming traffic to a remote command-and-control (C&C) server managed by the hackers.
It was on this server where the entire “business logic” of the attacks took place. According to Cashdollar, a typical attack would go as follows:
- User visits hacked WordPress site.
- The hacked WordPress site redirects the user’s request to view the site to the malware’s C&C server.
- If a user meets certain criteria, the C&C server tells the site to reply with an HTML file containing an online store peddling a wide variety of mundane objects.
- The hacked site responds to the user’s request with a scammy online store instead of the original site the user wanted to view.
Wait, It Gets Worse
In addition, the Akamai researchers said the hackers also generated XML sitemaps for the hacked WordPress sites that contained entries for the fake online stores together with the site’s authentic pages.
The attackers generated the sitemaps, submitted them to Google’s search engine, and then deleted the sitemap to avoid detection.
[Cashdollar] now believes that this kind of malware could be used for SEO extortion schemes — where criminal groups intentionally poison a site’s SERP ranking and then ask for a ransom to revert the effects.
“This makes them a low-barrier attack for criminals to pull off, as they only need a few compromised hosts to get started,” Cashdollar said. “Given that there are hundreds of thousands of abandoned WordPress installations online, and millions more with outdated plug-ins or weak credentials, the potential victim pool is massive.”Cashdollar now believes that this kind of malware could be used for SEO extortion schemes — where criminal groups intentionally poison a site’s SERP ranking and then ask for a ransom to revert the effects.