Attackers also poison the victim’s keywords and SERP ranking.

There is a new cybercrime gang at work these days. Their modus operandi: take over vulnerable WordPress sites to install hidden e-commerce stores and wreak other havoc. The malefactors appear to be doing this to hijack the original site’s search engine ranking and reputation and promote online scams.

Larry Cashdollar, a security researcher for the Akamai security team, discovered these attacks earlier this month targeting a WordPress honeypot he had set up.

In a blog post this week, Cashdollar said the malware’s primary role was to act as a proxy and redirect all incoming traffic to a remote command-and-control (C&C) server managed by the hackers. It was on this server where the entire “business logic” of the attacks took place.

The attackers leveraged brute-force attacks to gain access to the site’s admin account, says Cashdollar. Then they overwrote the WordPress site’s main index file and appended malicious code.

According to Cashdollar, a typical attack would go as follows:

  1. User visits hacked WordPress site.
  2. The hacked WordPress site redirects the user’s request to view the site to the malware’s C&C server.
  3. If a user meets certain criteria, the C&C server tells the site to reply with an HTML file containing an online store peddling a wide variety of mundane objects.
  4. The hacked site responds to the user’s request with a scammy online store instead of the original site the user wanted to view.

Intruders also poison the victim site’s XML sitemap

The Akamai researchers also found the hackers had generated new XML sitemaps for the hacked WordPress sites. These contained entries for the fake online stores together with the site’s authentic pages.

The attackers generated the sitemaps, submitted them to Google’s search engine, and then deleted the sitemap to avoid detection.

Hackers could use this kind of malware for SEO extortion schemes, according to Cashdollar. Criminal groups could intentionally poison a site’s search engine results page (SERP) ranking and then ask for a ransom to repair the damage done.

“Given that there are hundreds of thousands of abandoned WordPress installations online, and millions more with outdated plug-ins or weak credentials, the potential victim pool is massive,” he said.