Clever SEO Spam Injection
(Dec 17, 2018)
Sucuri researchers have reported their findings on an interesting malware threat actors have been observed injecting Search Engine Optimization (SEO) spam on WordPress websites. Researchers observed 173 websites have been compromised with SEO spam injections by analyzing the websites' "theme's functions.php file loading content from the WordPress's wp_options table" in addition discovering that the malicious code loads a "theme_css" option, which is abnormal for CSS loading a WordPress theme. The malicious code found on the affected sites was observed to be capable of adding concealed links for search engine indexing, as well as capturing specific requests to the affected site and redirecting the website visitors to spam content.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.