A newly discovered fake Wordpress, security-wordpress plugin, has been found injecting casino-related spam links into websites. Disguised under an innocent-sounding name, the malicious plugin hides within the WordPress plugin’s directory, making it difficult to detect through routine integrity checks.
Once activated, the malware decrypts an obfuscated URL, fetches data from a remote server, and stealthily inserts spammy links into the website’s footer. This attack aims to manipulate search engine rankings and redirect unsuspecting visitors to harmful sites.
According to researchers, attackers often leverage WordPress plugins to distribute malware, as they do not form part of the core WordPress files, making them harder to detect through standard integrity checks.
Additionally, malicious plugins can be disguised under seemingly harmless names and hidden from the WordPress dashboard, further complicating detection.
In this particular case, a victim’s website was injected with casino-related spam links in the footer. After a detailed investigation, security analysts pinpointed a rogue plugin as the culprit. The attacker used various techniques, including:
- Giving the plugin an innocuous name to avoid suspicion.
- Hiding it in the WordPress plugins directory rather than modifying core files.
- Obfuscating malicious code within a single PHP file.
The investigation began with thoroughly reviewing the WordPress ‘wp-content/plugins’ directory. Analysts quickly spotted that the security-WordPress plugin contained only a single file — a notable red flag, as most plugins, typically have multiple files.
“This plugin name doesn’t appear to be related to a commonly used plugin, so we better take a look. Let’s look at the contents of the wp-content/plugins/security-wordpress directory to review further,” explained researchers.
Investigators discovered that attackers used XOR encryption to mask malicious URLs. To retrieve a JSON file data from an external server, the plugin leveraged cURL, and the malware embedded an encrypted URL, decoded using Base64, ROT13, and XOR techniques.
Experts also found that the extracted links were randomly shuffled and inserted into the website footer. The injected links aimed to improve the search rankings of the attacker’s websites.
The motives of attackers could be gaining search engine rankings by inserting spammy backlinks, tricking visitors into clicking malicious links leading to harmful sites, and selling unauthorised backlink placement to third parties for profit.
“The methods attackers use to distribute spam are ever evolving. Search engine rankings are vital to a business’s website and attackers love to take advantage of this. However, this could be detrimental if this occurs to your site,” cautioned researchers.
In the News: Hacker leaks 6 million JustCall.io sensitive user records
