• Home
  • |
  • Blog
  • |
  • How to Protect Your WordPress Website From Redirect Malware Campaign
How to Protect Your WordPress Website From Redirect Malware Campaign

Sucuri, a well-known website security firm, revealed its studies about a unique search engine poisoning technique that lets attackers increase the authority of the attacker’s sites from search engine prospects. That eventually forces search engines to treat attackers’ websites as genuine. According to the report shared by Sucuri, there are more than 15000 WordPress websites were seems to be compromised using this ois[.]is Black Hat Redirect Malware Campaign. Considering its consequences, we urge you to protect your WordPress website from Redirect Malware Campaigns if you have one.

Before we begin exploring how to protect your WordPress website from Redirect Malware Campaign, let’s see a short introduction about WordPress, technical details about the Redirect Malware Campaign, how to detect your WordPress website is compromised, and finally, how to protect your WordPress website from Redirect Malware Campaign.

A Short Note About WordPress

WordPress is a popular content management system (CMS) that enables you to create a website or blog from scratch or to improve an existing site. WordPress is used by millions of people around the world, including many large organizations, such as The Guardian, Forbes, and The New York Times. WordPress is free and open-source software released under the GPLv2 license.

WordPress is a very versatile platform and can be used for a wide variety of websites and applications. In addition to traditional websites and blogs, WordPress can also be used to create e-commerce sites, social networks, intranets, and much more.

If you’re looking to create a website or blog, WordPress is a great option. It’s easy to use, has a huge community of users and developers, and is very customizable.

Role of Website Redirects and Dofollow Links in SEO:

Before we learn how this search engine poisoning technique works, it is a must to know about the role of website redirects and dofollow links in SEO (Search Engine Optimization).

Website redirects play an important role in SEO. They can help improve your website’s search engine ranking by making it easier for search engines to find and index your site. Redirects can also help improve the user experience on your site by providing a more seamless experience for visitors. There are a few different types of redirects that you can use, and each has its own benefits and drawbacks. The most important thing is to choose the right redirect for your needs and implement it properly to ensure that it works as intended.

301 redirects are the most commonly used type of redirect and are often used when a website is permanently moving to a new URL. 302 redirects are typically used for temporary moves or changes, and meta refresh redirects are typically used for redirecting users to a different page on the same site. Each type of redirect has its own benefits and drawbacks, so it’s important to choose the right one for your needs.

Another aspect that is ‘Dofollow’ is important to know to understand how this Redirect Malware Campaign works.

There are two types of hyperlinks, 1. Dofollow, and 2. Nofollow links. In simple terms, a dofollow link is a link that passes on “link juice” to the website it’s linking to. This is in contrast to nofollow links, which don’t pass on link juice. Link juice is an important part of SEO because it helps websites rank higher in search engine results pages (SERPs). The more link juice a website has, the better its chances of ranking high in SERPs.

Dofollow links are especially valuable because they’re not easy to get. Most links on the web are nofollowed, meaning that they don’t pass on any link juice. So when you do get a dofollow link, it’s like getting a vote of confidence from Google that your website is worth linking to.

Overview of the ois[.]is Black Hat Redirect Malware Campaign

The initial attack vector is not clear about the campaign. Attackers are not seen to be targeting a known or o-day vulnerability either on WordPress or third-party plugins to compromise the WordPress websites. However, it’s been suspected that the attackers might have used compromised WordPress console logins. 

The ultimate goal of the campaign is to infect a compromised WordPress with malware that crests a fake redirection to the attacker’s low-quality Q&A sites. Successful exploitation would allow attackers to execute the malware and create redirects to websites of the attacker’s choice.

The study also says that on the compromised websites, it’s been found that there are as many as hundreds of files were found infected. Some of the commonly infected PHP and core WordPress files are seen are:

  • ./wp-signup.php
  • ./wp-cron.php
  • ./wp-links-opml.php
  • ./wp-settings.php
  • ./wp-comments-post.php
  • ./wp-mail.php
  • ./xmlrpc.php
  • ./wp-activate.php
  • ./wp-trackback.php
  • ./wp-blog-header.php
  • index.php
  • RVbCGlEjx6H.php
  • lfojmd.php
  • wp-newslet.php
  • wp-ver.php
  • wp-logln.php

One of the unique and tricky natures of the campaign is the malware used to infect the WordPress website is made intelligent enough to detect the website visitor is currently logged in to WordPress. The malware makes sure the redirect should not occur either if the wordpress_logged_in cookie is present or if the current page is wp-login.php. This nature is purposefully maintained to work covertly under the radar. 

If the malware does not detect either the wordpress_logged_in cookie or the current page is wp-login.php, that is, no user login or login attempt, then the malware tries to inject a malicious JavaScript code. That creates redirection to the attacker’s low-quality Q&A sites. Please read the full technical details at this link

How Does ois[.]is Black Hat Redirect Malware Campaign Work?

  1. Initially, aa advisory will gain unauthorized access by the compromised admin credentials of the WordPress website’s console.
  2. Upon having access, the advisory will host malware and starts doing nasty things like twerking the WordPress configuration files (Files are listed in the previous section). It’s been found that the malware is capable of tweaking hundreds of PHP and core WordPress configuration files inducing index.php files on a single website. 
  3. The malware is designed to detect a logged-in user or login attempt. If it doesn’t detect a user log-in, it downloads a malicious JavaScript that creates initial redirectionto .png files hosted on bitly (hxxps://bit[.]ly/3AAXYh6) later redirected to ois[.]is domain and spammy Q&A websites. That eventually increases the authority of spammy Q&A sites in search engines. 

How to Detect Your WordPress Website is Compromised?

The primary indicator of compromise is to identify if your website is redirecting to ois[.]is domain. As per the report, there are several more domains were captured by Sucuri. Please have the list here:

  • en.w4ksa[.]com
  • peace.yomeat[.]com
  • qa.bb7r[.]com
  • en.ajeel[.]store
  • qa.istisharaat[.]com
  •  en.photolovegirl[.]com
  •  en.poxnel[.]com
  •  qa.tadalafilhot[.]com
  • questions.rawafedpor[.]com
  •  qa.elbwaba[.]com
  • questions.firstgooal[.]com
  •  qa.cr-halal[.]com
  • qa.aly2um[.]com

The second must-do step is to perform file integrity check of WordPress files. If you want to quickly take a look at the integrity check, just run this command that will give you the list of all the modified files for the past n number of days. Example: Run this command to check the modified files for the past 30 days.

$ find . -type f -mtime -30

The Sucuri team has developed a free site checker tool. You can make use of the free tool to check the infection. 

How to Protect Your WordPress Website From Redirect Malware Campaigns?

Since the campaign tries to use the compromised credentials to exploit the WordPress websites, it is highly recommended to secure the admin account. Along with this, please make sure you have taken all these security measures to protect your WordPress website from Redirect Malware Campaign.

  1. Keep your WordPress installation and plugins up to date.
  2. Use a strong password for your WordPress administrator account.
  3. Use a security plugin like Wordfence to scan for malware and block malicious IP addresses.
  4. Don’t click on unknown links or download untrustworthy attachments.
  5. Back up your WordPress site regularly.”
  6. If you think your site has been hacked, take it offline immediately and contact a professional for help.
  7. Protecting your website from redirect malware campaigns requires vigilance and proactive security measures. Following these tips will help keep your site safe from attack. 

We hope this post would help you know technical details about the Redirect Malware Campaign, how to detect your WordPress website is compromised, and finally, how to protect your WordPress website from Redirect Malware Campaigns. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.