A surge of backdoor infections on numerous WordPress websites has recently been discovered, especially on the GoDaddy Managed Hosting Service. GoDaddy, a domain registrar and web hosting medium, hosts multiple WordPress websites targeted by identical backdoor payloads.
Researchers have first observed and disclosed the malicious activity in the early weeks of March, revealing about 300 websites being infected by the backdoor daily. However, experts were alarmed after discovering that about 281 websites that were infected by the backdoor were under the hosting service of GoDaddy.
The backdoor infections impacted the internet service of numerous web hosting platforms, such as MediaTemple, Domain Factory, 123Reg, and tsoHost, as well as the GoDaddy domain registrar.
The backdoor utilized by the threat actors for the WordPress website-targeting campaign is from a 2015 payload. The payload is a Google search SEO poisoning toolset attached in a wp-config[.]php to get spam URL templates from the command-and-control server used by the threat actors for infecting nefarious pages into search engine results.
Experts have not yet uncovered the initial infection transmitter. However, they claim that the backdoor’s operator utilizes a supply chain attack to infiltrate and compromise the WordPress websites.
The researchers have indicated that the backdoor attack offers predominately pharmaceutical spam templates to the WordPress site visitors instead of the authentic product or content. The objective of these spam templates is to bait victims into purchasing phoney products and content. If these lures bait the visitors, they can lose their payment details and money.
Researchers said these attacks are challenging for them to pinpoint and obstruct from the user’s side since the website accomplishes it on the server-side and not on the search engine. Therefore, local internet security tools could not identify any malicious activity.
Threat actors always find ways to exploit websites to accomplish their illegal campaigns. Website administrators and owners that utilize WordPress websites, like the GoDaddy domain registrar, should scan the wp-config[.]php to identify if there is an existing backdoor inside.