A new campaign targeting weak WordPress sites were discovered, where the attackers are manipulating the site’s files to host scam e-commerce sites on them. Discovered by the Akamai security team, the hackers are gaining access to admin accounts of WordPress sites to degrade its search rankings and serve its users with their online stores.
Using WordPress Sites for Hosting Scam Stores
A researcher named Larry Cashdollar from Akamai’s security team has spotted a new campaign, where a new malware group is actively exploiting WordPress sites for their malicious purposes. This was caught in the honeypot they set for tracking such campaigns earlier this month.
He said that hackers here are targeting WordPress sites with weak credentials with brute-force attacks, to gain admin account access. This was later used for obtaining the compromised site’s main index file and adding their malware code to it. Later, they’d connect this site to the hacker’s remote C2 for continuing their plan.
As explained in his blog post, any user visiting the compromised site will be redirected to the hacker’s C2 to check. And when he passes the eligibility test, the hacker’s command server will direct the site to show an HTML file with an e-commerce store to the user, instead of what he wanted to see.
The e-commerce store contains common products for purchase, which could steal the users’ money and their card data if he tempts to make a purchase. Researchers said to have observed over 7,000 such scam e-commerce stores were being hosted on the honeypot they gained access to.
Besides this, they are also said to be downloading the site’s XML files, which is a directory of the site’s pages (sitemap) and add their scam stores list along with the site’s other pages, and publish to Google. This confuses the web crawlers because of new and unrelated keywords, and eventually degrades the site’s SERP ranking in search results.
Other Trending News:- News