Hackers are using search engine optimization (SEO) to conduct a massive black hat campaign that compromises nearly 15,000 websites. The code redirects visitors to fake Q&A discussion forums.
Ben Martin, security analyst at Sucuri, which initially spotted the attacks, reports that each compromised site contains approximately 20,000 files used as part of the spam campaign. Most of the sites are on WordPress.
“It’s a pretty clever black hat SEO trick that we’ve rarely seen used in massive hack campaigns,” Martin wrote in a post. “However, its effect is questionable given that Google will be getting lots of ‘clicks’ on search results without any actual searches being performed.”
This black hat SEO goal, in theory, is to generate enough indexed pages to increase the fake Q&A sites' authority and rank better in search engines.
“More profits from Google AdSense was most likely the original plan for those Q&A sites — but it turned out that creating sites populated with scraped content from other sites didn’t generate enough traffic,” Martin wrote.
He also provides some advice to mitigate the risk for those who might have found their website a victim of this malware.
Users should perform a core file integrity check as the first step. If they can identify any files with this malware, make sure to query the file system for any other files containing the same injection; there are almost certainly going to be quite a few others.
This malware is frequently paired with others, particularly those found in bogus .htaccess files or spammy .html files, he writes. Search the site’s file system for any recently modified or added files.
If the site has been infected within the past two weeks, users should run this SSH command $ find . -type f -mtime -15 to find all files modified within the last 15 days.