~11,000 sites have been infected with malware that’s good at avoiding detection

By | February 13, 2023
Gloved hands manipulate a laptop with a skull and crossbones on the display.

Nearly 11,000 websites in recent months have been infected with a backdoor that redirects visitors to sites that rack up fraudulent views of ads provided by Google Adsense, researchers said.

All 10,890 infected sites, found by security firm Sucuri, run the WordPress content management system and have an obfuscated PHP script that has been injected into legitimate files powering the websites. Such files include “index.php,” “wp-signup.php,” “wp-activate.php,” “wp-cron.php,” and many more. Some infected sites also inject obfuscated code into wp-blog-header.php and other files. The additional injected code works as a backdoor that’s designed to ensure the malware will survive disinfection attempts by loading itself in files that run whenever the targeted server is restarted.

“These backdoors download additional shells and a Leaf PHP mailer script from a remote domain filestack[.]live and place them in files with random names in wp-includes, wp-admin and wp-content directories,” Sucuri researcher Ben Martin wrote. “Since the additional malware injection is lodged within the wp-blog-header.php file it will execute whenever the website is loaded and reinfect the website. This ensures that the environment remains infected until all traces of the malware are dealt with.”

Sneaky and determined

The malware takes pains to hide its presence from operators. When a visitor is logged in as an administrator or has visited an infected site within the past two or six hours, the redirections are suspended. As noted earlier, the malicious code is also obfuscated, using Base64 encoding.

Once the code is converted to plaintext, it appears this way:

The same code when decoded.
Enlarge / The same code when decoded.

Similarly, the backdoor code that backdoors the site by ensuring it is reinfected looks like this when obfuscated:

Backdoor PHP code when encoded with base64.
Enlarge / Backdoor PHP code when encoded with base64.

When decoded, it looks like this:

The PHP backdoor when decoded.
Enlarge / The PHP backdoor when decoded.

The mass website infection has been ongoing since at least September. In a post published in November that first alerted people to the campaign, Martin warned:

“At this point, we haven’t noticed malicious behavior on these landing pages. However, at any given time site operators may arbitrarily add malware or start redirecting traffic to other third-party websites.”

For now, the entire objective of the campaign appears to be generating organic-looking traffic to websites that contain Google Adsense ads. Adsense accounts engaging in the scam include:

en[.]rawafedpor[.]com ca-pub-8594790428066018
plus[.]cr-halal[.]com ca-pub-3135644639015474
eq[.]yomeat[.]com ca-pub-4083281510971702
news[.]istisharaat[.]com ca-pub-6439952037681188
en[.]firstgooal[.]com ca-pub-5119020707824427
ust[.]aly2um[.]com ca-pub-8128055623790566
btc[.]latest-articles[.]com ca-pub-4205231472305856
ask[.]elbwaba[.]com ca-pub-1124263613222640

To make the visits evade detection from network security tools and to appear to be organic—meaning coming from real people voluntarily viewing the pages—the redirections occur through Google and Bing searches:

Page source showing the redirection is occurring through Google search.
Enlarge / Page source showing the redirection is occurring through Google search.

The final destinations are mostly Q&A sites that discuss Bitcoin or other cryptocurrencies. Once a redirected browser visits one of the sites, the crooks have succeeded. Martin explained:

Essentially, website owners place Google-sanctioned advertisements on their websites and get paid for the number of views and clicks that they get. It doesn’t matter where those views or clicks come from, just so long as it gives the impression to those that are paying to have their ads seen that they are, in fact, being seen.

Of course, the low-quality nature of the websites associated with this infection would generate basically zero organic traffic, so the only way that they are able to pump traffic is through malicious means.

In other words: Unwanted redirects via fake short URL to fake Q&A sites result in inflated ad views/clicks and therefore inflated revenue for whomever is behind this campaign. It is one very large and ongoing campaign of organized advertising revenue fraud.

According to Google AdSense documentation, this behavior is not acceptable and publishers must not place Google-served ads on pages that violate the Spam policies for Google web search.

Google representatives didn’t respond to an email asking if the company has plans to remove the Adsense accounts Martin identified or find other means to crack down on the scam.

It’s not clear how sites are becoming infected in the first place. In general, the most common method for infecting WordPress sites is exploiting vulnerable plugins running on a site. Martin said Sucuri hasn’t identified any buggy plugins running on the infected sites but also noted that exploit kits exist that streamline the ability to find various vulnerabilities that may exist on a site.

The Sucuri posts provide steps website admins can follow to detect and remove infections. End users who find themselves redirected to one of these scam sites should close the tab and not click on any of the content.