Recently, a new malware built for SEO injection was found targeting WordPress web sites. Read on to know more about it…
Recently, WordPress was targeted with clever SEO injection malware. The clever malware built for SEO injection loads up a webpage with spammy links, redirects and ad keywords, unknown to the site owner. This malware has been seen evading detection with an innovative approach that involves appending itself in an unusual place in the back-end code of a WordPress site. Researchers at Sucuri have seen the malware crop up in two unrelated sites recently, targeting both English- and Korean-speaking searchers who are looking for various “free” downloads.
After detailed analysis, the researchers at Sucuri discovered that the malware has two functions. First, it can add hidden links for indexing by search engines — a process that usually violates search engine terms of service and could result in blacklisting of the web site; and secondly, it can redirect site visitors to spam content. The latter function is more advanced than usual, because it only redirects unregistered web site users — presumably one-time visitors who wouldn’t flag the issue to the webmaster). And, it redirects visitors to certain pages based on their profile. The malware does its best to obfuscate SEO injection in WordPress and evade notice from web admins.
“What’s clever about this particular piece of malware is how it stores the spam content on the site and how it operates to inject the content into the original response sent by WordPress,” said Pedro Peixoto, a researcher at Sucuri in a blog post.
Researchers have discovered two specific samples in the wild and that the malware has been installed on 173 distinct sites. “Hacked sites affected by this kind of black hat SEO campaign can get links from around a thousand sites overnight,” said Peixoto.
A Sophisticated Approach
Typically, SEO injection involves either injecting HTML code for concealed elements in theme files or injecting fake spam posts in the WordPress database, according to Sucuri – and in both cases, the injection is simple to uncover with either a file search or a keyword search within WordPress.
“Infections are usually found via a simple file search for the terms attackers inject on the page,” the researchers explained in a Monday posting. “Did you find SEO spam for luxury handbags on your site? Search your files for that term and bang, there it is.” From there, site owners can simply delete the rogue content and then submit the site for blacklist review/SEO reindexing.
In this case, the malware creates a special repository in the site’s database to store spam content and information about logged in visitors; so, rather than just uploading spam posts into the normal dashboard, these use a different prefix from legitimate WordPress content. That means the posts won’t load or show up on a site’s admin dashboard.
Site owners are required to follow a cleanup procedure in order to prevent such SEO spams. They will need to find and remove the malicious code from the theme’s function.php. Sucuri noted; and then, find and remove the themes_css option, which may have been given a random name. And finally, admins should check their WordPress database for tables with unknown prefixes. In addition, they should check the WordPress for the presence of tables with unknown prefixes such as backupdb_wp_, backupdb_wp_posts and backupdb_wp_lstat.