WordPress sites are being targeted by an unknown hacking group with a large-scale phishing attack. The security reports indicate that this is done so via a specially modeled scenario.
Massive Spam Attack Hits WordPress Sites
A recent security report reveals that an unknown hacking group is actively targeting WordPress sites and has been able to deface many Korean installations. The researchers that posted about the incident note that the collective is leveraging a special SPAM generator which will inject malware content into the compromised sites. The route of infection is a weakness in the configuration file used by the content management system which allows for code to be inserted into the posts.
It appears that the hackers have made a list of conditions which are used to control the attack. The attacking script is configured to select only Korean sites by targeting the .kr domain and checking if the language options match the language. As soon as a vulnerable site is found the malware framework will automatically insert malicious links which will be acquired from a special hacker-controlled server. They will produce content that includes keywords that can modify the SEO ranking of the site. There are several reasons why the hackers have chosen to follow this particular campaign:
- The compromised sites will rank higher in search engines when the computer users type in the injected keywords. This will generate traffic to the sites which may contain various kinds of malware or phishing content.
- The modified pages can be altered so that they will not visible in search engine queries. This is often done in order to sabotage high-ranking pages.
- Via the code injection the hackers can insert banners and ads which will generate income for them. This can include cryptocurrency miner code that can be executed directly in the web browsers.
The fact that thousands of sites have been compromised so far urges WordPress administrators to apply the latest patches for both the main system and any installed plugins. Webmasters can also check their site for suspicious content by reviewing the Google Search Console reports