In a massive malicious SEO campaign, cybercriminals are promoting low-quality Q&A sites by redirecting visitors to fake discussion forums. As a result, almost 15,000 sites have been compromised.
In September 2022, researchers at Sucuri discovered the attacks. Each compromised site was found to contain approximately 20,000 files that were utilized in the search engine campaign.
Researchers believe that the goal of threat actors is to generate enough indexed pages in order for them to increase their authority in the search engines. This will enable them to rank higher as a result.
Primarily, the malware targets WordPress sites. The hackers modified the WordPress PHP files to inject redirects to fake Q&A discussion forms.
The infected files contain malicious code that checks if website visitors are logged into WordPress. If not, the visitors are redirected to a Google search click URL that redirects them to the spam Q&A site.
The use of Google search click URLs is likely to increase performance metrics on URLs in the Google index. Thus, the sites appear popular, and web traffic is seen as more legitimate, possibly bypassing some security software.
Users who are logged in are excluded so that the threat actor doesn't raise suspicion by redirecting a site administrator.
While Sucuri couldn't identify the exact way the attackers breached the website that was used for redirects, it is likely that they exploited a vulnerable plugin or brute-forced the WordPress administrator password to access the website.
Sucuri recommends that users secure their admin panel with two-factor authentication or other access restrictions to prevent becoming a victim. Furthermore, users should ensure that all software on their website is up-to-date and patched to the latest versions.