A web spam campaign that targets Koreans is creating problems for site administrators all around the world. Hackers are compromising vulnerable Korean-language WordPress websites, but are also polluting search engine results for non-hacked sites globally.
Researchers at Sucuri initially uncovered a web spam doorway generator injected into a compromised website, “with all the typical features, including: fetching spammy content from a third-party server, caching it on a compromised server, and serving different versions of web pages to search engine bots and human visitors,” explained Denis Sinegubko, senior malware researcher at Sucuri, in a posting on Friday.
In examining the code further, the team found that the campaign is looking to drive traffic to spammy websites with three main themes: Call girls for travelers, online gambling and “off-white merchandise,” which is a clothes-shopping theme. Each theme uses hundreds of specific keywords (in Korean) to attract visitors, such as “call girl,” “motel travel massage” and “beautiful sister in business trip” for the first theme, and “overseas casino site,” “casino jackpot” or “casino roulette strategy” for the gambling sites.
The campaign targets Korean users only, the researcher explained. “The doorway script specifically checks that visitors originate from a Korean version of search engines (with .kr TLD) and have Korean as their default browser language,” Sinegubko said. “Only these specific visitors are redirected. The configuration array also has a long list of Korean cities and regions used to generate ‘localized’ doorways for each of them.”
However, the impact of the activity extends much further, thanks to a unique approach to spamming search engines.
The researcher explained that hackers are using lists found in the code’s configuration files of hundreds of uncompromised WordPress sites to inject links of these sites into the doorway web pages they generate.
“The links point to these random WordPress sites’ search results pages for keywords relevant to the spam campaign,” he said. “Their search queries don’t return any results because the sites are not hacked and they don’t contain any of the content related to the Korean keywords. As it turns out, this is exactly what the attackers were trying to achieve.”
That’s because, although the result page says that “nothing was found”, it contains the full search query with the relevant spam keywords, along with the domain name of the site the attackers want to promote.
“Since this result page is linked to from the doorway, search engine bots find it and index it,” Sinegubko said. “This results in millions of search results for relevant keywords which mention the domain names promoted by this campaign. This adds an impressive amount of search visibility for the promoted domains.”
The technique is effective for creating ill-gotten SEO traction, but it has an ancillary trouble for webmasters with unhacked sites that have been linked to by the campaign.
“Search engine results pages on major search engines are being polluted with hundreds – or even thousands – of outright spammy entries, which may affect their reputation,” according to the researcher. “It is not always an easy task to remove those pages out of Google’s index.”
While WordPress is the target for this particular campaign, the attack is not WordPress-specific, he added: Any site with a search engine that returns “nothing found for <query>” pages can be similarly attacked.
Webmasters can address the issue by adding “the <meta name=”robots” content=”noindex”> tag to the search result pages, according to Sinegubko – or, they can disallow indexing by using the robots.txt file. The feature is available via various WordPress plugins.
Webmasters should also regularly check for suspicious content indexed by search engines on their sites by looking at Google Search Console reports for indexed pages and search queries, as well as similar tools for other search engines.
Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.
