15 May, 2018

Malicious SEO Spam Making a Comeback

While malicious SEO Spam malware infections were starting to drop, recent activity indicates that they are on the climb again. Let's look at this threat, why it is serious, and how you can be better protected.
Malicious SEO Spam is WordPress site malware that can damage a site's relationship with leading search engines. The injected threat can take over a website, serving out modified pages and in some cases entire new sites under your domain. While malicious SEO Spam malware infections were starting to drop, recent activity indicates that they are on the climb again. Let's look at this threat, why it is dangerous, and how you can be better protected.
What is SEO Spam Malware?
The primary goal of SEO Spam is to convince search engines that an infected site contains content that it actually doesn't. By doing so, spammers hope to get their content in prominent positions in search engine results. They accomplish this by injecting SPAM on websites.

At its heart, the actions of SEO Spam malware are not unlike other methods of SEO optimizations that otherwise legitimate sites may employ. Such things as keyword stuffing, link spamming, and others all serve to give prominence to web content in a search engine result.
How Does SEO Spam Work?
SEO Spam is placing malicious code on a server that can modify web pages as needed. The hack varies in the sophistication of the methods used, but a simple example might be the use of a script to attach links to the footer of an infected site.

More advanced versions of the hack will create a new page to the site in question, serving out its content of choice to any search bot that comes along. In a few extreme cases, installations were discovered that created entirely new sites to do the hacker's bidding. These new sites were located as a subdomain of the actual site, making it appear legitimate to the search engine crawl.
Despite the extensive and varying changes, the hack can create on a website; it can be hard to detect. One of the more common ways SEO Spam hides its tracks is to serve out modified content only to search engine crawlers.

By using this technique, regular traffic to an infected site sees only the original content. Site owners can update and maintain their website at will and remain blissfully unaware that search engines are seeing a completely different site during their crawl. WordPress SPAM can be successfully hidden from everyone but the search engine.
Hackers use the core files of a WordPress site to install the malicious code. Sometimes the /wp-includes/load.php file is used in its distribution. At other times they will exploit vulnerabilities found in an outdated plugin or theme.

One of the tried and true methods of spreading SEO Spam is via access to a site through a weak admin password. Bots are created that will scan the web for susceptible WordPress websites, where they will attempt a quick access routine before moving on to the next potential victim.
If your site allows access, SEO Spam malware will be installed. From that point on, your site will be under their control and be used for any number of purposes, from participating in DDOS attacks to serving up custom content to search engines.
SEO SPAM Campaign Targeting WordPress Sites
At the time this post was created, there were more than 1000 websites infected with the obfuscated variant of SEO SPAM infection that was in the wild last year:
Here is how the obfuscated malware code looks like:
Once decrypted a well-known infection will be seen:
If you can see this code, then your site is currently infected and keeps on redirecting your site visitors to other malicious sites. Malware has been injected not only into your site files but also in your database, and your site also contains a backdoor.

Hackers are using tricks to hide such malware by disguising the file extension to make it appear safe. Here the infection is loaded as an image file (.png) which contains the actual code injected into your site, in our case it is called rcc.png.

When you open it in Notepad++ you can see the above-mentioned content:
The backdoor is also obfuscated and the filename being used is a legitimate WordPress file. In this example, the infected bookmark.php is in wp-includes and wp-admin/includes directories at the base directory of the WordPress installation:
Once deobfuscated it appears to be the standard Filesman backdoor malware:
Infection Statistics
The number of infected sites continues to flourish. There are over 58,000 sites with Malicious SEO/Spam content. On average, about ten percent of sites surveyed were either potentially suspicious or suspicious and malicious. Of these, it is estimated that 1,000+ were directly infected with SEO Spam malware. This is up from a previous drop in total active installations.
How to Detect SEO Spam Malware
Since the site will appear unaffected in typical use, it can be difficult to detect an infection. One of the handy tools for identifying SEO spam is Google Webmasters (Search Console) and Google Analytics. A quick scan of incoming search referrals can indicate that there is a problem.

The key indication of infection will be searches coming to your site that has nothing to do with your site's content. For example, if you have a site about recipes and you see a lot of inbound search traffic using terms related to shopping, you may have a problem.
SEO spam is often focused on eCommerce promotion, so suddenly seeing a lot of search terms for cheap products or brand name knockoffs is a pretty good indication of an issue. Pharmaceutical affiliate promotion is also becoming popular with SEO spam.

In many cases, Google will discover that a site has been infected well before the owner does. If this happens, your visitors may get a security warning from their web browsers that your site has become compromised. The worst way to discover that your site is infected is by finding out from your visitors.
Mechanically, SEO spam may create new directories under the site's directory structure. These directories are used to serve out the content as needed, and can even be used for other malicious activities. New uses for SEO spam controlled sites are constantly being discovered.
How to Protect Your Site from SEO Spam Malware
As SEO spam malware continues to evolve with its return, protecting a site from it can become difficult. The latest versions have its code heavily obfuscated to avoid detection from most malware scanners.

There are many things a WordPress site owner can do to protect themselves from this threat and others. Every account that has the capability of modifying the site should have strong passwords that are well protected. Even the best password is only as good as the protection it receives.
Many times the gateway for SEO spam Malware is an older plugin or theme that has a vulnerability. By keeping components of the website, such as plugins, themes, and WordPress versions, up to date, these threats can be minimized or eliminated.

Plugins and add-ons can do some wonderful things for a WordPress site. In response, many website owners are often quick to install new ones on advice found in forums and groups. But installing unknown software on a site opens it up to potential threats. Only use known sources for website components, and then just use those that you think you really need.

Backups can definitely save a website in case of problems, and they are highly recommended. But in some cases, the infection can be part of the backup. Keep in mind that a backup is a snapshot of the current website state, not a guaranteed clean copy of your site.

One of the best ways to protect yourself from SEO spam malware is with a malware scanner that is designed to detect this threat. Our ThreatSign Website Antimalware has this capability and is updated with the latest variants. We specialize in security monitoring for websites and obfuscation detection.
The importance of monitoring a WordPress website can't be overstated. Both internal and external malware monitoring should be part of a protection plan. Internal scanning takes place on the server itself and examines both file structure and site behavior. If a threat is detected, internal monitoring can take corrective action to remove blacklisting from websites. It can also issue alerts and other warnings to site owners and admins.

External malware monitoring runs on the client side and works to scan the website from its public-facing components. While not as powerful as the internal version, external monitoring has the advantage in that it can work on any kind of site since it doesn't require installation on the server itself.
Another very important aspect of external monitoring is that it isn't impacted by an infection on the site. While the installed malicious code may be able to compromise some less advanced monitoring solutions, the external version remains out of reach. Therefore, both internal and external monitoring should be part of a good website assessment solution.

Malicious SEO Spam is making a comeback, and it's proving to be the problem that just won't go away. The distribution is driven by the fact that it is an effective means of accomplishing search engine goals, so we should expect the threat to become even more advanced. Check us out to see how our experts can help with malware removal from websites and help keep you safe when it comes to malicious SEO Spam.