The malicious black hat redirect malware campaign has now grown larger and more insidious, infecting over 10,800 websites with over 70 bogus domains, mimicking URL shorteners.
The main objective of this malware is to artificially increase traffic to pages that contain Google Ads, generating revenue from AdSense ID, which is used for ad fraud.
The fraudulent campaign, active since September last year, is designed to redirect visitors to fake Q&A portals that look like the real thing.
This helps in increasing the authority of spammy sites in search engine results. Using Bing, Twitter’s link shortener service, and Google in their redirects, these threat actors have expanded their reach.
They also utilize URL domains that appear like popular shortening tools like Bitly, Cuttly, or ShortURL but direct visitors to sketchy Q&A sites. The redirects end up on Q&A sites discussing blockchain and cryptocurrency, hosted on DDoS-Guard, a Russian internet infrastructure provider that provides bulletproof hosting services.
The unwanted redirects via fake short URLs inflate ad views/clicks and provide inflated revenue for those behind the campaign, making it one of the largest ongoing campaigns of organized advertising revenue fraud.
It is still unknown how WordPress sites become infected in the first place, but once infected, the threat actor injects backdoor PHP code, allowing for persistent remote access, and redirects site visitors. The environment remains infected until all traces of the malware are dealt with.
