Attackers "poison" XML sitemaps, thereby lowering their SERP ranking.
A new cybercriminal group attacks WordPress sites and installs hidden e-commerce stores on them, taking advantage of the site's search rankings and reputation for fraudulent purposes.
The attacks were discovered earlier this month when malware hit the honeypot of Akamai security specialist Larry Cashdollar. According to him, attackers gain access to the accounts of site administrators using a brute force attack, after which they overwrite their main index files and add malicious code.
Although the malicious code is heavily obfuscated, Cashdollar was able to figure out that its main purpose was to act as a proxy to redirect all incoming traffic to a C&C server controlled by cybercriminals.
A typical attack looks like this: when a user wants to visit a compromised site, his request is redirected to the C&C server. If the user meets certain criteria, the C&C server instructs the site to respond to the request by sending an HTML file with an online store offering household goods. That is, instead of the legitimate site requested by the user, a fraudulent online store opens. According to the researcher, at the time the malware got into its honeypot, the attackers had installed more than 7 thousand e-commerce stores on the compromised resources.
Among other things, hackers also generate XML maps of compromised sites containing fake store entrances along with original pages. The attackers generate a sitemap, submit it to a Google search engine, and then delete it to avoid detection.
While this procedure looks harmless enough, it actually has a pretty big impact on WordPress sites, as it poisons their keywords with unrelated and fraudulent entries that lower their search engine result page (SERP) rankings.
According to Cashdollar, this type of malware can be used in SEO-related ransomware schemes, in which cybercriminals deliberately change the ranking of a site in search results, and then ask for a ransom to fix the consequences.
__________________
A new cybercriminal group attacks WordPress sites and installs hidden e-commerce stores on them, taking advantage of the site's search rankings and reputation for fraudulent purposes.
The attacks were discovered earlier this month when malware hit the honeypot of Akamai security specialist Larry Cashdollar. According to him, attackers gain access to the accounts of site administrators using a brute force attack, after which they overwrite their main index files and add malicious code.
Although the malicious code is heavily obfuscated, Cashdollar was able to figure out that its main purpose was to act as a proxy to redirect all incoming traffic to a C&C server controlled by cybercriminals.
A typical attack looks like this: when a user wants to visit a compromised site, his request is redirected to the C&C server. If the user meets certain criteria, the C&C server instructs the site to respond to the request by sending an HTML file with an online store offering household goods. That is, instead of the legitimate site requested by the user, a fraudulent online store opens. According to the researcher, at the time the malware got into its honeypot, the attackers had installed more than 7 thousand e-commerce stores on the compromised resources.
Among other things, hackers also generate XML maps of compromised sites containing fake store entrances along with original pages. The attackers generate a sitemap, submit it to a Google search engine, and then delete it to avoid detection.
While this procedure looks harmless enough, it actually has a pretty big impact on WordPress sites, as it poisons their keywords with unrelated and fraudulent entries that lower their search engine result page (SERP) rankings.
According to Cashdollar, this type of malware can be used in SEO-related ransomware schemes, in which cybercriminals deliberately change the ranking of a site in search results, and then ask for a ransom to fix the consequences.
__________________