Over 10,800 WordPress sites have been infected by a malware campaign involving malicious domains hiding behind URL shorteners. Researchers explained that this new campaign aims to commit ad fraud, where the malicious operators artificially increase a site’s traffic to increase ranking and gain profit through Google’s AdSense.
Based on an analysis, the ad fraud campaign began last year in September. The campaign involved redirecting site visitors to compromised WordPress pages with fake Q&A portals. While more and more visitors land on the pages, it boosts its ranking on search engine results, allowing the malicious actors to gain more profit.
The ad fraud operators are trying to trick Google into acknowledging that the rate of website visits is from real people.
With the different IP addresses of the site visitors, Google would likely acknowledge them as real people that visit the malicious website. Subsequently, Google will increase these pages’ ranking on search results, letting its operators earn money from performing well through AdSense.
In this campaign, the fraudulent operators have also used Bing search result links, Twitter’s and Google’s link shortener service, and other popular URL shortening tools to hide its real weblink from being shown upfront to people.
Some of the landing pages observed in this campaign were focused on blockchain and cryptocurrency subjects.
Security experts describe this ad fraud campaign as one of the most common and active cybercriminal operations online. People being redirected to malicious websites hiding behind shortened URLs will lead to an uptick in site visits and generous revenue output for the actors that operate them.
There currently are no precise details on how thousands of WordPress sites have been infected. However, researchers identify that the breached websites are injected with a backdoor PHP code which would enable remote access from the malicious operators and allow site visitor redirects.
