The malware gang poisoned the victims’ XML sitemaps with tens of thousands of scammy entrances, lowering the websites’ SERP ranking.
A brand new cybercrime gang was seen taking overexposed WordPress websites to put in concealed e-commerce shops to hijack the first website’s search engine rank and reputation and market online scams.
The strikes were found earlier this month targeting a WordPress honeypot set up and handled by Larry Cashdollar, a security researcher to the Akamai security group.
The attackers leveraged brute-force strikes to get access to the website’s admin accounts, and they overwrote the WordPress site’s most important index document and appended malicious code.
It was on this particular server in which the whole”business logic” of those strikes happened. By Cashdollar, a Normal attack goes as follows:
The hacked WordPress website redirects the user’s request to observe the website to the malware C&C server.
When an individual fulfills specific standards, the C&C server informs the website to respond with an HTML file containing an internet shop intravenous a huge array of mundane objects.
The hacked website responds to the consumer’s request using a scammy online shop rather than the first website the user wanted to see.
Cashdollar explained that throughout the time that the hackers had access to his honeypot, the attackers hosted over 7,000 e-commerce shops they planned to function to incoming customers.
INTRUDERS POISONED THE Website’s XML SITEMAP
Additionally, the Akamai researchers said the hackers also created XML sitemaps for its hacked WordPress websites that included entries for the imitation online shops along with the website’s pages that were authentic.
Although this process looked pretty benign, it had a fairly major effect on the WordPress website since it ended up poisoning its own key words with unrelated and scammy entrances that reduced the site’s search engine results page (SERP) rank.
Cashdollar now considers this type of malware might be used to get SEO extortion approaches — in which offender classes intentionally poison a website’s SERP position and then request a ransom to revert the outcomes.
“This leaves them a low-barrier assault for offenders to pull off since they just require a few endangered hosts to begin,” Cashdollar stated. “Given that there are thousands and thousands of left-wing WordPress installations on the internet, and more with obsolete plug-ins or weak qualifications, the possible victim pool is enormous.”