A new malicious campaign is underway aimed at WordPress sites, in which attackers are setting up their own e-commerce stores on top of compromised websites with the goal of abusing the original site’s search rankings.
The attack was detailed by Larry Cashdollar, a security researcher with Akamai, who noticed a malware infection where a malicious actor added a storefront on top of his WordPress honeypot. The attackers used brute-force to gain access to the site’s admin account, they then overwrote the site’s index file adding their malicious code to it. The malware’s purpose was to redirect the site’s traffic to a command and control server managed by the attackers.
According to Cashdollar, the attack involves the following stages:
1. Request fr om web user browser to the infected WordPress site
2. Malware forwards request to command and control server
3. If request is valid return 'okhtmlgetcontent' with e-commerce site HTML
4. Pass on HTML received from C2 to web user's browser
The researcher said that the attackers also generated XML sitemaps for the hacked WordPress sites that contained entries for the fake online stores along with the site's authentic pages. The attackers generated the sitemaps, submitted them to Google's search engine, and then deleted the sitemap to avoid detection.
“The malware creates sitemaps for Google to index on the fly, so the sitemap file isn't actually written to disk. My honeypot infection, as far as I could tell, was hosting more than 7,000 e-Commerce websites. There were six different sitemaps, all stored in robots.txt that was generated by the malware after infection,” Cashdollar noted.
The researcher believes that attacks like the one he discovered could be used by cybercriminals for SEO poisoning schemes, wh ere the attackers manipulate Search Engine Optimization (SEO) results for companies, and then demand a ransom to cease their interference with the target's online profile.
“While inconclusive, malware like what hit my honeypot could be used for these types of attacks. This makes them a low-barrier attack for criminals to pull off, as they only need a few compromised hosts to get started. Given that there are hundreds of thousands of abandoned WordPress installations online, and millions more with outdated plug-ins or weak credentials, the potential victim pool is massive. Bottom line, this attack proves that if you can modify something without authentication, it will be abused,” Cashdollar warned.