Anatomy of a Blackhat SEO spam campaign (with a twist)

  • September 28, 2016

Legitimate websites are hacked and recruited into a spam network

During a periodic analysis of Cato Cloud traffic in the Cato Research Lab, we noticed that our security analytics engine was triggered by a request to a code sharing service, Pastebin. The request was originated from a preschool website in Singapore (Figure 1).

Pastebin is a popular service for code storing and sharing. A “paste” within a Pastebin account refers to a piece of code that can be dynamically fetched and placed within a specific context, for example, a web page. While the service is used for legitimate purposes, it can also be used to enable web-based, malicious activities.

pasted-image-at-2016_09_28-02_44-pm
Figure 1 – Website screen shot

Analyzing the source code of the website led to a script tag, which was the source of the suspicious request. After analyzing other parts of the code, we noticed a few hidden links, which referred to shoe sales websites. Clearly, with no relation to the preschool website. (Figure 2).

picture2
Figure 2 – Suspicious code snippet

The links are placed in a hidden part of the page overlapping one of the header, so anyone who clicks the header is unknowingly referred to one of those websites. This is a well-known technique called, “clickjacking”, which is used for various malicious purposes, such as collecting forced likes on a Facebook page.

Peaking our interest, we viewed the link in Pastebin. We can see that it contains a piece of Javascript that is executed every time a web browser hits on an infected page, downloading another Javascript code that is hosted on the attacker’s server. This allows the attacker to use Pastebin, a legitimate service, as a gateway to malicious code (Figure 3). The paste had more than 500K views since it was posted and the views increased at a rate of 10K during the time of the investigation (Figure 4).

Interestingly, at this point in time the script refers to a HTML page and not Javascript code. The referred HTML contains several scripts intended to create the device fingerprint for users accessing the site. This technique is often used to support user ad-targeting, without the use of cookies that are disabled or not allowed in various regions.

picture3
Figure 3 – Malicious paste containing Javascript

When we dug a bit more on the specific Pastebin account, we saw additional pastes that indicate the malicious intentions of this actor.

picture4
Figure 4 – More than 500K hits on this paste

The following figure shows one of the pastes containing a PHP backdoor (Figure 5). A backdoor is a piece of code that is planted in a site and gives an attacker the ability to control the web server of the hacked site. This simple, yet effective, backdoor executes PHP code that the attacker can send using HTTP POST requests.

picture5
Figure 5 – PHP backdoor paste

The spam network in action

We discovered thousands of infected pages, all hosted on legitimate websites, containing links to the same spam retail network of sites. Each spam page contains a script that redirects users to a retail website operated by the spammers. The redirection occurs only if the user was referred to this page from a major search engine: Google, Bing, Yahoo or AOL (Figures 6,7). This is a common blackhat SEO method used to falsely increase a page’s ranks.

The script is hosted on several subdomains inlcuding “google.jj4.co” and ”gogle.jj4.co,” and the script name also varies.

picture16
Figure 6 – the script injection
picture17
Figure 7 – contents of injected script

At the time of publication we could not validate if purchased goods are actually delivered. Obviously, anyone who uses such techniques to acquire traffic is not a trustworthy merchant.

How the initial site takeover occurs

A search for the C&C domain in the paste from Figure 3 led us to the script that was used to attack the sites. The script is designed to exploit cross-site-scripting (XSS) vulnerabilities in WordPress in order to take over the site, and plant the URL references to products and shops we have seen earlier.

First, the attack scripts appends a simple PHP backdoor to one of the installed WordPress plugins – the exact PHP code that appears in one of the attacker’s pastes. Later, the script reports the domain and path of the hacked plugin.

Figure 6 – Attack script showing C&C URL
Figure 7 – Attack script

Lastly, the script attempts to add a user with administrative privileges to WordPress (Figure 8).

Figure 8 – Attack script

Summary

The use of Pastebin in the context of the spam network is important here, because the attacker can quickly replace the command and control (C&C) server domain in the paste, and have it impact all infected sites. This is needed when C&C servers get blacklisted and there is a need to quickly change them. Obviously, it is hard for Pastebin to detect and stop these activities. While this may be nothing more than an eCommerce scam, the same method can be used to deliver malware through exploit kits that can put end users at a much higher risk. The volume of activity around the Paste indicates hundreds of thousands of users could be impacted.

To prevent your website from being taken over by such attacks, consider regularly patching your WordPress instances and WordPress plugins, and limiting admin access to specific IP address, such as your corporate network external IP.

Read about top security websites

Ronen Atias

Ronen Atias

Ronen Atias is a security researcher at Cato Networks. He is one of the top team members from the Cato Research Labs. Also, a non-practicing biologist, a MacGyver fan and an expert in all things web. Hacking the planet since ZX81.

More Posts

Ronen Atias

Author: Ronen Atias

Ronen Atias is a security researcher at Cato Networks. He is one of the top team members from the Cato Research Labs. Also, a non-practicing biologist, a MacGyver fan and an expert in all things web. Hacking the planet since ZX81.