Posted on November 24, 2020 at 2:10 PM
A new report has revealed that a malware group has been seizing susceptible WordPress sites to install secret e-commerce stores. According to the report, the hackers are taking over the original search engine ranking of the site to promote their online scams.
The malware group also infiltrated the target’s XML sitemaps with thousands of scammy posts, which lowers the SERP ranking of the site.
The threat actors send thousands of spammy entries on the site
The cyberattacks targeting WordPress honeypot were discovered earlier this month by a security researcher for the Akamai security team, Larry Cashdollar.
The threat actors used a brute-force attack to have access to the admin section of the site. Afterward, they fixed malicious code after overwriting the main index file of the WordPress site.
Although the appended code was heavily obfuscated, the researchers said the main role of the malware was to behave like a proxy. The proxy malware can then send all the traffic to a remote command-and-control (C&C) server controlled by the threat actors.
According to Cashdollar, the whole ‘business logic’ of the attacks was carried out on the server.
He further highlighted how the ransomware group was able to carry out the attack.
He said the first step is when the user visits the WordPress site, which has already been hacked. Once the user requests to view the site, the hacked WordPress site redirects the request and sends the malware’s C&C server.
The user is checked to see if they meet certain criteria before the C&C server informs the site to send a reply with an HTML file. The HTML file contains an online store selling a wide range of mundane material.
The hacked WordPress site acts upon the request by the user with a scammy online store rather than the main site the user requested.
Cashdollar also revealed that when the hackers are in control of the honeypot, they maintained over 7,000 e-commerce stores, and the plan was to serve them to incoming visitors.
Additionally, the researchers revealed that the hacking group created an XML sitemap for the compromised WordPress sites. The sitemap collects all the information about the fake online stores, as well as the site’s original pages. This makes their actions so potent as they have full control of the compromised WordPress sites.
The attack may look harmless but has a serious negative impact
The threat actors created the sitemaps and sent them to Google’s search engine. And to stay under the radar and avoid being detected, the attacker deleted the sitemap.
Although the method used by the threat actors seems harmless, it has a massive effect on the WordPress site. That’s because it can poison the original site’s keywords with spammy and unrelated entries, which ultimately reduces the site’s search engine results page (SERP) ranking.
Attackers engage in an SEO ransom scheme
According to Cashholder, the type of malware may be utilized for SEO ransom schemes. For instance, the threat actors could infiltrate the site’s SERP intentionally, and request that the victim pays a certain amount of money to get the effects reverted.
“This makes them a low-barrier attack for criminals to pull off, as they only need a few compromised hosts to get started,” Cashdollar reiterated.
He also pointed out that there are several thousands of idle WordPress installations online, with millions more having weak credentials or outdated plug-ins. This makes it a massive pool of potential victims for the threat actors who want to launch attacks on those WordPress sites.
According to Cashdollar, most of these sites have been abandoned for a long time, and their vulnerability makes them easy targets. The attackers convert the sites into a profitable one for their hacking activities.