SPAM Hack Targets WordPress Core Install Directories

Do you run your website on WordPress? Have you checked the integrity of your core install lately for SPAM like “Google Pharmacy” stores or other fake stores?

We have been tracking and analyzing a growing trend in SEO Spam (a.k.a., Search Engine Poisoning (SEP)) attacks in which thousands of compromised WordPress websites are being used to hide fake stores and spam doorways. In every case, the attacker is leveraging one of the core install directories – wp-includes.

google-pharma

Abusing WP-INCLUDES with SPAM

By default, every WordPress installation comes with 3 main directories: /wp-content, /wp-admin and /wp-includes. Generally, /wp-includes is reserved for generic code and is the heart of WordPress where all major core files are stored. It’s a folder that doesn’t need to be remotely accessed and should not contain any externally accessible or executable HTML or PHP files.

Unfortunately, that is not what we’re seeing. Thousands of WordPress sites seem to have been hacked, and in each case SPAM has been injected into their core directory wp-includes. We have found it’s not specific to Pharmaceuticals either, it includes things like “Payday spam” and “cheap bags”, “cheap watches” and many other forms of SPAM content.

This type of spam injection has 3 main characteristics:

  1. The SPAM pages are hidden inside a random directory inside wp-includes (eg: /wp-includes/finance/paydayloan or /wp-includes/werty/)
  2. The spam is conditional and often based on the referrer
  3. We’ve noticed that, in almost every instance, the websites are running outdated WordPress installs or cPanel – this is obviously conjecture

Here is a small list of 100 WordPress hacked websites with SPAM injected in their wp-includes directories. All of them are publicly accessible by doing some Google searches:

http://www.immunomix.com/ITIpress/wp-includes/finance/paydayloan/payday-loans-instant.html
http://microwaveamps.co.uk/wp-includes/js/thickbox/lib/loans/payday-loans-in-london-uk.html
http://www.scifidimensions.com/wp-includes/finance/cashadvance/cash-advance-loan-lenders.html
http://www.beereading.com/wp-includes/finance/cashadvance/cash-advance-loans.html
http://vastema.com/wp-includes/cheap-hermes-lindy-bags-on-sale.html
http://www.antibabypillerezeptfrei.net/wp-includes/js/crop/advancement/helpers/blrmalaysiabank.html
http://todayscliche.com/wp-includes/palco.html
http://www.ethosindia.com/wp-includes/mambo.php?p=55
http://www.turnerforte.com/blog/wp-includes/finance/cashadvance/cash-advance-credit.html
http://www.ednapletonblog.com/wp-includes/werty/replica-36596.html
http://www.pettycustomhomes.com/wp-includes/cheap-kids-nba-jerseys-3167596.html
http://www.pondproshop.com/reference/wp-includes/catalog/services/vybe/vybe-band-reviews.html
http://firefly-path.net/wp-includes/pomo/qwe/4/Buy-Balenciaga-High-Quality-Replica-Clutches.php
http://wolfgangcapellari.com/wp-includes/pomo/rolex-imitation.html
http://byphandyman.com.au/wp-includes/people/replica-bvlgari-fake-watches.html
http://rumbaytimbal.com/wp-includes/reviews/
http://www.preservinggoodstock.com/wp-includes/louis-vuitton-bags-5641302.html
http://www.domagojkovacic.com/wp-includes/wholesale-jerseys-from-china-7479567.html
http://maciejkot.pl/wp-includes/detect.html
http://allinseopack.com/wp-includes/js/plupload/oscar-leeser-bio-i12.com
http://www.marinavendrell.com/wp-includes/store/diet/solpria/solpria-cleanse-reviews.html
http://missouriche.org/wp-includes/louisvuitton19.html
http://vastema.com/wp-includes/replica-hermes-birkin-25-cm.html
http://www.conemund.org/eng/wp-includes/replica.php
http://cri-technologies.com/wp-includes/pomo/mkheaf.php?psdjvwei=uplink%20dwd
http://www.giser.net/wp-includes/headt.php
http://chicksdigme.com/wp-includes-old/vanilla-sky-lyrics-owl-city-i0.com
http://jewelrypictures.org/wp-includes/js/imgareaselect/ghd-machine-i5.com
http://www.jobshopsf.com/wp/wp-includes/finance/autoloan/car-loan.html
http://www.ebrice.com/wp-includes/shop/health/tagaway/buy-tag-away-discount-price.html
http://amr-nadim.net/wp-includes/fake-hermes-clic-clac-bracelet–5621.html
http://jesicaglot.com.ar/wp-includes/news/replica-watches_14626.html
http://funaki.ens-serve.net/wp-includes/images/news/black-evening-dresses.html
http://linkarbeid.no/wp-includes/replica-celine-tas.html
http://www.iwillstandupforyou.com/wp-includes/nfljerseys-19244-6847676.html
http://www.viparenda.com.ua/wp-includes/pomo/index/shorewatches.htm
http://www.lelieuunique.com/site/wp-includes/wp-about.php?p=124-chaussure-christian-louboutin-pas-cher.html
http://redtouch.com.mt/wp-includes/news/oris-aquis-depth-gauge-replica-watch-hands-on.html
http://www.stridesforstars.com/wp-includes/rewrite/list.html
http://perfectgroup.se/wp-includes/replica/rolex
http://www.cowalrugby.co.uk/wp-includes.php
http://janmccraylaw.com/wp-includes/watches/replica-32802.html
http://bekarty.pl/wp-includes/be/cartier-swiss-replica.html
http://conceitorio.com.br/home/wp-includes/indo/rolex-airking.html
http://www.liftstudios.ca/wp-includes/images/arrows/lib/chanel/wallets/Chanel-Wallet-On-a-Chain-Replica.php
http://mag.amazing-kids.org/wp-includes/js/crop/lib/vuitton/LV-Bags/Louis-Vuitton-Overnight-Bags-Replica.php
http://atelier.aencre.org/wp-includes/js/thickbox/lib/louboutin/model/christian-louboutin-crystal-daffodil-pumps-replica.php
http://feo.nusta.com.ua/wp-includes/images/news/buswatches.htm
http://cafetaxa.dk/wp-includes/replica-watches-uk/
http://www.socialned.nl/wp-includes/php/tag/michael-kors-outlet-washington
http://podcasttennis.free.fr/wordpress/wp-includes/js/tinymce/themes/advanced/ejezuli/inig/
http://www.baypointmarina.com/wp-includes/brand/ralph-lauren-sleepwear.html
http://nsldigest.org/wp-includes/css/wp-pointer/Buy-Good-Replica-Louis-Vuitton-Shoes_25510.html
http://supportambitiongroup.com/wp-includes/css/download-free-porn-no-sign-up.php
http://icmcc.org/wp-includes/js/jcrop/gearshifter.php?dqq=506
http://w3f.pl/wp-includes/pomo/silagra-50-price.html
http://www.fedusa.org.za/wp-includes/js/tinymce/wp-mce-help.php
http://www.styleslicker.com/wp-includes/js/buytadalafil/index.php?page=4
http://nclarkplaning.co.uk/blog/wp-includes/Cardiovascular/ventolin-mdi-buy.html
http://www.cadillacpizzapub.com/livemusic/wp-includes/finance/creditscore/annual-credit-score.html
http://www.nagaloka.org/wp-includes/filesd/1137a750e374cebd95e7bfb4c05c60a0
http://www.immunomix.com/ITIpress/wp-includes/finance/creditreport/credit-report-and-score.html
http://www.elpaisdealtamira.es/wp-includes/js/crop/lib/vuitton/LV-Replica/Louis-Vuitton-Replica-AAA.php
http://yogagals.com/wp-includes/bottega-veneta.html
http://www.baypointmarina.com/wp-includes/brand/ralph-lauren-bicester-village.html
http://nrca-railroad.com/wp-includes/js/crop/_notes/vuitton/LV-Outlets/Louis-Vuitton-Outlet-Store-in-Kansas-City-Missouri-MO.php
http://www.madeleineking.co.uk/wp-includes/the-wine-house-lichfield-i10.com
http://www.mecalfab.com/mecalfab1/wp-includes/discountstore/kitchen/ninjamegablender/mega-ninja-blender.html
http://oisa.org/trl/wp-includes/onlineshop/naturalproducts/powerprecision/buy-power-precision-lean-muscle-formula.html
http://www.elpaisdealtamira.es/wp-includes/js/crop/lib/vuitton/LV-Replica/Louis-Vuitton-Replica-AAA.php
http://adamriemer.me/wp-includes/user/index.php?p=netflix-rentals-netflix-dvd-movie
http://adcaustintech.com/javaegl/wp-includes/user/index.php?p=netflix-shares
http://todomejora.org/wp-includes/js/crop/lib/loans/payday-loans-without-checking-account-requirements.html
http://www.thekookmovie.com/wp-includes/php
http://www.moorefinefoods.com/wp-includes/heads7.html
http://www.businsure.com.au/wp-includes/jordanretroretails.com.html
http://www.airjordanpaschererfr.com/
http://stoleti.cz/wp-includes/images/index.php
http://www.chriswind.net/wp-includes/nets1121.html
http://icmcc.org/wp-includes/js/jcrop/gearshifter.php?dqq=196
http://www.demalagana.es/wp-includes/jordan11spacejambox.com.html
http://www.iarld.com/wp-includes/sageron.html
http://www.maintenantlagauche.com/wp-includes/class-wp-login.php
http://www.thesinbin.ca/wp-includes/images/jordansbred-us.com.html
http://www.plantingdandelions.com/wp-includes/x-jordan.html
http://www.martaortells.com/wordpress/wp-includes/images/jordansinfrared.com.html
http://missouriche.org/wp-includes/nikefree11.html
http://www.accqtrak.com/WordPress/wp-includes/Text/Diff/Renderer/Year57.php
http://urbancampout.com/wp-includes/glass.php
http://kortshoes.nl/wp-includes/The/fake-replica-watches.html
http://wolfgangcapellari.com/wp-includes/pomo/rolex-imitation.html
http://vastema.com/wp-includes/buy-hermes-lindy-handbags-outlet.html
http://maciejkot.pl/wp-includes/detect.html
http://nrca-railroad.com/wp-includes/js/crop/_notes/vuitton/LV-Buy/Buy-Louis-Vuitton-in-Warsaw-Poland.php
http://www.elpaisdealtamira.es/wp-includes/js/crop/lib/vuitton/LV-Cheap/Cheap-Louis-Vuitton-Luggage-Knock-Off.php
http://dibach.com/wp-includes/Text/Lifestyle/dating-lord-elgin-watches.php
http://www.iwillstandupforyou.com/wp-includes/real-gucci-belt-for-men-cheap-8163353.html
http://www.missouriche.org/wp-includes/index.html
http://www.lonestarlandscaping.biz/wp-includes/store/diet/greencoffee/where-can-i-buy-green-coffee-bean.html
http://www.andersonmontana.com/test/wp-includes/Text/Diff/Renderer/Filter17.php
http://www.cerbone.com/wp-includes/store/exercise/contourabs/contour-abs-reviews.html
http://www.smkgear.com/_wp/wp-includes/discountstore/home/solaramerica/solar-america-home-power-station.html

This is a very small sample. A quick search on Google using inurl:/wp-includes viagra levitra cialis reveals more than 13,000 pages. As you rotate out the SPAM keywords that number increases dramatically. You quickly start painting a pretty dire picture as you run more scans:

WordPress Wp-includes SPAM

If you find yourself with similar symptoms, we recommend replacing your core install or seeking professional help.

If you are a Do it Yourself’er (DIY’er) then be sure to manually replace the core installs. Don’t just select update in your administrator panel because doing so won’t remove the file and while it may address the issue on the surface, it won’t be getting to the bottom of the issue.

Conditional Redirections

The term Conditional should not be new to most of our readers, but if you’re new we recommend diving into our older posts to better understand how it works. A good place to start is our most recent post on redirects that were occurring only on mobile devices and targeting Porn websites.

If you click on any of these URL’s, you will see doorways for different types of spam. Some are just like the Google Pharmacy screenshot and some with real complex fake stores. However, if you are coming from a Google search, referrer = google.com, they will redirect you to the final SPAM destination.

And what is the final spam destination? These are the ones we have been able to isolate to date:


http://www.greboxs.com/


http://www.mkbagsesale.com/


http://www.shoebuy.com


http://www.top-online-pills.com/

We don’t know if they are really malicious or being used by affiliate spam, but they appear to be the final destination for all these spam pages.

How are these WordPress sites getting hacked?

While we don’t have definitive proof as we do not have control of these environments, each instance we have analyzed always show one common denominator – out of date software. We cannot stress the importance of patching your software via upgrades and if you can’t, be sure to leverage tools that allow you to operate safely on the web with your out of date software. The last thing any website owner wants is to find out later that their brand and system resources have been used for nefarious acts.

Not Just Pills or Payday Loans, It’s Essay SEO SPAM!

Remember back in school or college when you had to write pages and pages of long essays, but had no time to write them? Or maybe you were just too lazy? Yeah, good times. Well, it seems like some companies are trying to end this problem. They are offering services where clients pay them to write these essays for you.

Essay SEO SPAM

The problem is that this is not only wrong, but it’s also becoming a competitive market where some companies are leveraging SEO SPAM to gain better rankings on search engines (i.e., Google, Bing). They are also using popular sites like bleacherreport.com and joomlacode.org to add their spam links.

Here are a couple example URL’s from sites that got hit (URL’s are still showing SPAM):

Read More

Another Fake WordPress Plugin – And Yet Another SPAM Infection!

We clean hundreds and thousands of infected websites, a lot of the cleanups can be considered to be somewhat “routine”. If you follow our blog, you often hear us say we’ve seen “this” numerous times, we’ve cleaned “that” numerous times.

In most cases when dealing with infected websites, we know where to look and what to remove, generally with a quick look we can determine what’s going. Despite our experience and passion for cleaning up a hacked website, there are always surprises lurking and waiting for us, almost every day.

Some of the most interesting routine cases we deal with are often websites with SPAM. SPAM is in the database, or the whole block of SPAM code is stored in some obscure file. We also deal with cases where the SPAM is loaded within the theme or template header, footer, index, etc. Sometimes these SPAM infections are conditional (e.g. They only appear once per IP), sometimes not.

More often than not however, these infections is not too difficult to identify and remove. In the case we’re writing about in this post, we were able not only to remove malware, but also take a look at what’s going on behind the curtain.

Read More

The Story of Clip:rect – A Black Hat SEO Trick

We regularly write about Black Hat SEO hacks here. Such hacks help hackers monetize their access to compromised sites by incorporating them into massive schemes that try to manipulate search engine results for queries that potential clients may be interested in. Think of gray areas like: payday loans, pharmaceuticals, counterfeit drugs and luxury goods.

As you know, search ranking is all about the number and quality of inbound links to your site. To promote a web page, spammers need to place a link to them on as many sites as possible. This is why injecting spammy links into hacked sites is an important step for most Black Hat SEO schemes.

You can’t simply add links to someone else’s pages and expect that the site owner will tolerate it, so hackers make such links invisible to normal site visitors and visible to search engine bots.

There are many tricks they can be used to hide links. It can be a sophisticated server-side cloaking (detecting search bots by IP/UA and injecting the SPAM on the fly), or a simple HTML trick like setting styles to display:none. In this post, we’ll talk about something in the middle, a trick that involves deceptive JavaScript and creative use of CSS.


Read More

Blackhat SEO and ASP Sites

It’s all too easy to scream and holler at PHP based websites and the various malware variants associate with the technology, but perhaps we’re a bit too biased.

Here is a quick post on ASP variant. Thought we’d give you Microsoft types some love too.

Today we found this nice BlackHat SEO attack:

Sucuri SiteCheck ASP Malware

Read More

HideMeBetter – SPAM injection Variant

Compromised sites being injected with SPAM SEO is something we deal very often. A few months ago we wrote about a wave of SPAM injections known as HideMe.

However, the bad guys are always getting more and more “creative”, and they’ve developed a better version of that SPAM, called “HideMeBetter”. Yes, that’s their own naming scheme.

Read More

Sucuri CloudProxy WAF – Fake Bots Explained

One of the most common questions we have been getting since launching our CloudProxy WAF is regarding bot activity and why it appears that we are blocking Google and / or Bing bots. Inside the CloudProxy dashboard we provide a full audit log of any request that gets denied access and when a client see’s something like the following in their logs they tend to get concerned:

13/May/2013:09:20:29 +0000] 80.72.37.156 “IP Address not authorized” “POST /wp-login.php HTTP/1.1″ 403 “” “Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)”

In this specific instance they are concerned that we are blocking Bing because of this reference: bingbot/2.0; +http://www.bing.com/bingbot.htm. They are especially concerned when it says Googlebot, like this one:

13/May/2013:18:27:14 -0400] 198.50.161.234 “Spam comment blocked” “POST /blog/wp-comments-post.php HTTP/1.0″ 403 “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

Nobody wants to block Google out of their sites.

Read More

Cyber Criminals Take Advantage of Recent Boston Attack with SPAM

It pains me to write about this at all, but as despicable as this might appear, cyber criminals have started to take advantage of those that have been affected by the recent tragedy in Boston – which pretty much means everyone with a pulse.

Trend Micro is reporting -

Mary Ermitano-Aquino noted a spam outbreak of more than 9,000 Blackhole Exploit Kit spammed messages, all related to the said tragedy that killed at least three people and injured many more. Some of the spammed messages used the subjects “2 Explosions at Boston Marathon,” “Aftermath to explosion at Boston Marathon,” “Boston Explosion Caught on Video,” and “Video of Explosion at the Boston Marathon 2013″ to name a few.

Sophos NakedSecurity is also reporting similar upticks –

Messages spammed out by attackers claim to contain a link to video footage of Monday’s terrorist activity in Boston, with subject lines such as “2 Explosions at Boston Marathon”…..If you make the mistake of clicking on the link, however, you are taken to a website which – while showing you genuine YouTube videos of the the horrific incident – attempts to infect your computer with a Windows Trojan horse that Sophos products detect as Troj/Tepfer-Q.

Unfortunately this is not just specific to emails, it appears that this is bleeding into all mediums, to include Facebook and Twitter. Aside from it being highly disturbing, all we can do is spread the word so that friends and families are not affected while emotionally distraught.

I plead with you that if you want to contribute and / or are interested in what is going on avoid clicking on social media and email links and go directly to known media outlets. Also, please don’t donate to random organizations, stick with known reputable organizations that you can verify.

WordPress Malicious Plugin – WPPPM – Abusing 404 Redirects with SEO Poisoning

Bruno Borges, of our security team, came across an interesting case this week, in which a WordPress plugin was abusing the 404 rewrite rules and redirecting all traffic to SPAM pages advertising a variety of things, the most common being:

FACTUAL STUDY: HYDROXYCITRIC ACID IN GARCINIA CAMBOGIA BURNS FAT.

The way it works is interesting, by default most would never realize they are even infected. The plugin is designed only to redirect incoming traffic that accidentally goes to a page that doesn’t exist. In most cases it would generates what we know as 404 pages, or state something like, Sorry this page doesn’t exist, etc… Well in this case, you’d be greeted with something like the following:

Read More

When Good Plugins Go Bad – SEO Spam on Joomla Websites

We recently published an article about an interesting case where a very popular WordPress Plugin (Social Media Widget), with more than 900,000 downloads, got sold and the new owners decided to use their big audience and inject spam on all the sites using the plugin.

If you read the post, you will see how they went about injecting those “pay day loan” SPAM links to paydaypam.co.uk. What’s even more scary is that in one day, the number of backlinks to paydaypam.co.uk, increased from 0 to almost 450k, according to ahrefs.com:

Loan Spam

This gives you an idea of how big a targeted SEO Spam attack can be.


Read More