• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Massive 1800ForBail WordPress Hacks

Massive 1800ForBail WordPress Hacks

June 28, 2019Denis Sinegubko

FacebookTwitterSubscribe

Sucuri malware analyst Kaushal Bhavsar recently brought our attention to a massive campaign responsible for adding either “1800ForBail” or “1800ForBail – One+Number” keywords to the titles of vulnerable WordPress sites.

1800ForBail in Search Results

Google currently returns 158,000 results for the [intitle:1800ForBail] query.

Google Search Results for 1800ForBail
158,000 Google search results for [intitle:1800ForBail]
Of course, this count includes internal pages on compromised websites.

At the same time, PublicWWW.com returns 692 results for “1800ForBail”, where one result per domain is typically listed.

Google’s cache shows that the majority of sites were hacked after June 12th, 2019.

Blogname and Siteurl Attacks

HTML page analysis of these hacked sites reveal a common picture — bad actors change the standard WordPress setting “blogname” used to generate web page titles.

This attack is very similar to so-called “siteurl attacks” we’ve been regularly seeing since last year. In this campaign, hackers massively exploit vulnerabilities in various plugins to change URLs of static resources, including JavaScript files, resulting in malicious code being loaded instead of legitimate scripts.

Old unpatched versions in a number of plugins and themes are currently known to be exploited: WordPress GDPR Compliance, TagDiv themes, Freemius Library (and all plugins that use it), Convert Plus, etc.

These “siteurl attacks” are a part of a massive campaign which actively exploit all newly discovered vulnerabilities in WordPress. They use the same domain names as the rest of the script injections. And it’s quite natural on sites with the “1800ForBail” title, that we often find altered siteurl options— their HTML markup features familiar malicious domains and looks like this:

<meta property="og:title" content="Home - 1800ForBail" />

<meta property="og:url" content="hxxps://deliverygoodstrategy[.]com/destiny?tt=2&#038;/" />

<meta property="og:site_name" content="1800ForBail" />

Phonewords in Black Hat SEO

These seem to be two separate attacks. One of them (siteurl/home) redirects visitors to scam sites (tech support and push notification scams), while the other changes blog titles — a black hat SEO technique used to gain more visibility for the brand of the “bail service”.

This approach is similar to what we’ve seen in the Korean spam campaign, where hackers flooded search results with links to certain Korean sites without actually linking them. This tricks Google to index any “Not Found” search result pages mentioning respective domain names and relevant keywords on unhacked WordPress sites.

In the Korean spam campaign, this approach worked because the domain names were very short and people could manually type the domains into the browsers’ address bar.

In the case of this new “1800ForBail” campaign, bad actors leverage two distinct features: a simple domain name matching the injected keyword — which makes it effortless for users to manually enter it into their browsers — as well as a toll-free number using the mnemonic phoneword “ForBail”.

Conclusion

Hackers constantly find new ways to exploit vulnerabilities in website software. This new “blogname attack” doesn’t break the sites, making it harder to notice the hack if you don’t pay attention to the titles of the open browser tabs. These spam keywords are very prominent in search results, which affects the reputation of the website.

To mitigate the damage to a hacked website, site owners should change the “Blog title” setting from their WordPress admin interface (or the “blogname” option in the wp_options table) and update all themes and plugins to prevent reinfection. If the site was also affected by the “siteurl attack, you might need to revert other modified site settings”.

If you don’t have the time or expertise to deal with this problem, you can check out our malware removal service and employ a web application firewall.

FacebookTwitterSubscribe

Categories: WordPress SecurityTags: Balada Injector, Black Hat Tactics, Hacked Websites, WordPress Plugins and Themes

About Denis Sinegubko

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.