A new scheme perpetrated by spammers is infecting over 500 websites per day. According to the report by Sucuri, this tactic that attackers use is executed at varying levels leading to the utilization of infected sites’ resources and taking profit from their SEO.
Some write elegant codes that keep them hidden and really hard to detect. While others create simple attacks that can be applied on a wider scale but are very obvious.
In their spam investigation, experts at Sucuri analyzed a case in which attackers use a technique that abuses storage and database resources by installing spammy WordPress sites in subdirectories of the original site. This technique may not be entirely new but apparently is still working for these spammers.
This type of hack does not change the appearance of the infected site, unlike defacements and redirect techniques.
In the example shown below, hackers hide malicious sites in subdirectories which keep them undetected from unsuspecting website owners.
The Pattern of Attack
There seems to be no end for SEO spamming. Hackers continue to develop new techniques in infecting websites. The researchers have also identified the following patterns of attacks:
- The attackers added 2 directories in the root (./oakleyer and ./raybaner) with WordPress installations (v4.0.12).
- Attackers took the database credentials from the original site’s wp-config.php, and used different table prefixes for the spammy WordPress subsites.
- There were also four specific files that helped automate blog management in both ./oakleyer/wp-admin and ./raybaner/wp-admin:
- php – verifies if there is a post in the database with a given title.
- php – creates or updates spam posts in the database.
- php – posts comments.
- php – creates sitemaps for the SPAM sub-sites.
These hackers have also automated WordPress management which in turn allow them to update posts and comments on multiple spammy sub-sites with one click.
Sucuri has also issued counter-measures to know if your site is under attack:
“While not a comprehensive exploration, a quick check can easily be done via Google Search Console. If you see unrelated search queries, it’s a strong indication of an SEO hack. Another simple search of [site:you-site-domain-here.com cheap] can also provide insight.
Keywords like “cheap” and “free” are often used by spammers. These are good terms to check if you suspect that your site may be hacked. If the search returns pages that don’t belong to your site, spammers may be using it.
In this case, it was easy to identify the malicious directories in the site root. The straightforward naming conventions (./oakleyer and ./raybaner) used for the additional directories clearly indicated that we had found the sunglasses spam location. However, it is unrealistic to manually check the integrity of your site’s files and directory structure consistently. In fact, many hackers count on the fact that website owners are not staying vigilant.”
What are your thoughts on this type of hacking technique? Do you have suggestions on how to prevent such attacks? Let us know!