Security researchers have spotted an intriguing malware campaign designed to increase the search engine rankings of spam websites under the control of threat actors.
Over 15,000 WordPress and other sites have been redirected to the spam Q&A sites, according to Sucuri. The hackers are using modified WordPress PHP files and, in some cases, their own PHP files to achieve the redirects, with targeted sites on average containing 100 infected files each.
The destination spam sites, of which Sucuri has so far found 14, have their servers hidden behind a CloudFlare proxy.
“The sites seem to be using the same Q&A pattern and are built using the Question2Answer (Q2A) open source Q&A platform. According to their website, this platform is currently powering over 24,500 sites in 40 languages,” the vendor explained.
“The attackers’ spam sites are populated with various random questions and answers found to be scraped from other Q&A sites. Many of them have cryptocurrency and financial themes.”
Although no malicious activity has been detected on these spam sites as yet, the actors behind this campaign could “arbitrarily add malware” to them or redirect visitors again to malicious third-party sites, Sucuri warned.
“It’s possible that these bad actors are simply trying to convince Google that real people from different IPs using different browsers are clicking on their search results. This technique artificially sends Google signals that those pages are performing well in search,” the vendor added.
“If this is the case, it’s a pretty clever black hat SEO trick that we’ve rarely seen used in massive hack campaigns. However, its effect is questionable given that Google will be getting lots of ‘clicks’ on search results without any actual searches being performed.”
This theory is backed by the fact that the second level domains of the Q&A sites “seem to belong” to the same individuals, it added.
The campaign is somewhat unusual in that only 13% of all SEO spam infections are classified as a malicious redirect, according to Sucuri.