Cybercriminals are always looking for new ways to launch attacks and with more businesses going online, WordPress sites have become a potential target for a lucrative payoff. Akamai security researchers discovered hackers are setting up fake e-commerce digital storefronts atop legitimate WordPress sites to introduce malware, which also manipulates the search engine rankings.
A security researcher at content delivery network (CDN) services and cloud security solutions provider Akamai has discovered that hackers have been targeting WordPress sites to manipulate search engine optimization (SEO) rankings and set up fake e-commerce stores.
This relatively new attack pattern leverages the brand website’s reputation to scam unsuspecting consumers and steal user credentials.
Talking about the WordPress malware, Larry CashdollarOpens a new window , Senior Security Response Engineer at Akamai said once the attackers gained access to the site’s administrator privileges, they overwrote the index.php file and then affixed malicious code with specific functionality. Attackers deliberately obfuscated this code to throw off researchers and extend the attack’s life.
Cashdollar managed to discover an unobfuscated copy of the malware source code after what he describes as a ‘lengthy deobfuscation mission’. He found that all incoming requests from the sites (which are now infected) are redirected to a command and control (C2) server maintained by the attackers.
Cashdollar’s analysis of the malware captures the attack/traffic workflow in the following four steps:
Malware Traffic Flows
Source: Akamai
- An unsuspecting web user requests access to an infected WordPress site through a browser.
- The request is forwarded to the C2 server by the affixed malware (obfuscated code in this instance). The server then verifies whether the request is made by an actual human user or a bot.
- If the request was indeed made by a human user, the C2 server returns an HTML site, which is a fake online (e-commerce) storefront selling several ‘common, everyday items’.
- The malware then passes on the HTML content to the user browser.
Malware Interaction with C2
Source: AkamaiOpens a new window
In the above graphic, the first arrow points to where the code checks if ‘nobotuseragent’ has been received from the C2. This is a check to see if the connecting request is from the bot or not, and this is important as criminals want to avoid bots and target actual humans in the scam.
See Also: More Than 20,000 WordPress Sites Vulnerable to Site Takeover Attacks
Attackers also altered the website’s search engine results page (SERP) rank by submitting new sitemaps to Google for indexing. Under the attack, the malware generates XML files through the ‘put‘ and ‘del‘ commands and then submits them to Google through ‘ping‘ along with the original WordPress sitemap.
Two things are happening here — first, the attackers are expanding the reach of the scam through Google indexing, and second, the WordPress site’s SERP rankings is plummeting.
This technique is somewhat similar to SEO poisoning wherein attackers exploit system vulnerabilities to boost page rankings.
Even more concerning is that this SEO malware may give rise to a new attack vector where a ransom is demanded to restore original SERP rankings.
“The actor claims they have the ability to poison the SEO results for the target by injecting negative reviews and messages into forums, and then linking those with the target sites search results. They demand payment in BTC and also offer their services in targeting the competition,†Cashdollar said.
“Given that there are hundreds of thousands of abandoned WordPress installations online, and millions more with outdated plug-ins or weak credentials, the potential victim pool is massive,†Cashdollar added, in closing.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!