A new cybercrime gang has been seen taking over vulnerable WordPress sites to install hidden e-commerce stores with the purpose of hijacking the original site's search engine ranking and reputation and promote online scams.
The attacks were discovered earlier this month targeting a WordPress honeypot set up and managed by Larry Cashdollar, a security researcher for the Akamai security team.
The attackers leveraged brute-force attacks to gain access to the site's admin account, after which they overwrote the WordPress site's main index file and appended malicious code.
While the code was heavily obfuscated, Cashdollar said the malware's primary role was to act as a proxy and redirect all incoming traffic to a remote command-and-control (C&C) server managed by the hackers.
It was on this server where the entire "business logic" of the attacks took place. According to Cashdollar, a typical attack would go as follows:
- User visits hacked WordPress site.
- The hacked WordPress site redirects the user's request to view the site to the malware's C&C server.
- If a user meets certain criteria, the C&C server tells the site to reply with an HTML file containing an online store peddling a wide variety of mundane objects.
- The hacked site responds to the user's request with a scammy online store instead of the original site the user wanted to view.
Cashdollar said that during the time the hackers had access to his honeypot, the attackers hosted more than 7,000 e-commerce stores that they intended to serve to incoming visitors.
Intruders poisoned the site's XML sitemap
In addition, the Akamai researchers said the hackers also generated XML sitemaps for the hacked WordPress sites that contained entries for the fake online stores together with the site's authentic pages.
The attackers generated the sitemaps, submitted them to Google's search engine, and then deleted the sitemap to avoid detection.
While this procedure looked pretty harmless, it actually had a pretty big impact on the WordPress site because it ended up poisoning its keywords with unrelated and scammy entries that lowered the website's search engine results page (SERP) ranking.
Cashdollar now believes that this kind of malware could be used for SEO extortion schemes — where criminal groups intentionally poison a site's SERP ranking and then ask for a ransom to revert the effects.
"This makes them a low-barrier attack for criminals to pull off, as they only need a few compromised hosts to get started," Cashdollar said. "Given that there are hundreds of thousands of abandoned WordPress installations online, and millions more with outdated plug-ins or weak credentials, the potential victim pool is massive."