Hackers have started an SEO campaign where around 15,000 websites are being redirected to fake Q&A discussion forums.
Sucuri spotted the attacks at first and said that each compromised site consists of around 20,000 files that have assisted in the overall campaign. Most of the sites are none other than WordPress. According to the researchers, the main goal of hackers is to generate enough indexed pages to expand the audiences of the Q&A sites and reach on top of the search engine. The campaign is aiming to change these sites for malware or phishing.
An alternate situation is also happening where an ads.txt file appears on the sites. Sucuri stated that the hackers are making changes to the WordPress PHP files including the redirect to the Q&A sites. In rare cases, the hackers include their PHP files on a site by using random file names. These files consist of harmful code that confirms if the visitors have opened WordPress or else they are redirected to the URL, https://ois.is/images/logo-6.png URL.
The browsers will not get a picture from this URL but will have JavaScript loaded to take the users to a promoted Q&A site. In case a Google search click URL is used it will possibly increase the performance metrics on the URLs in the Google index which will make the sites look popular and increase the ranking in the search results.
Except for the logged-in users and those using wp-login.php it avoids redirecting the administrator of the side which increases suspicion and removal of the compromised site. The PNG image file uses the function window.location.href to bring the Google search redirection result to any one of the targeted domains.
The majority of the websites have hidden their servers behind Cloudflare and so Sucuri could not find anything about the one who is running the campaign. The sites look like they have been created by automated tools and they might belong to the same hacker.
There is no available information le on how the hackers breached the websites. But it is possible by exploiting a vulnerable plugin or brute-forcing the WordPress admin password. To avoid this problem people must upgrade the WordPress plugins and the CMS to the latest version and activate the two-factor authentication on admin accounts.