Massive AdSense Fraud Campaign Uncovered – 10,000+ WordPress Sites Infected

Feb 14, 2023Ravie LakshmananAd Fraud / Online Security

The threat actors behind the black hat redirect malware campaign
have scaled up their campaign to use more than 70 bogus domains
mimicking URL shorteners and infected over 10,800 websites.

“The main objective is still ad fraud by artificially increasing
traffic to pages which contain the AdSense ID which contain Google
ads for revenue generation,” Sucuri researcher Ben Martin said^[1]
in a report published last week.

Details of the malicious activity were first exposed^[2]
by the GoDaddy-owned company in November 2022.

The campaign, which is said to have been active since September
last year, is orchestrated to redirect visitors to compromised
WordPress sites to fake Q&A portals. The goal, it appears, is
to increase the authority of spammy sites in search engine
results.

“It’s possible that these bad actors are simply trying to
convince Google that real people from different IPs using different
browsers are clicking on their search results,” Sucuri noted at the
time. “This technique artificially sends Google signals that those
pages are performing well in search.”

What makes the latest campaign significant is the use of Bing
search result links and Twitter’s link shortener (t[.]co) service,
along with Google, in their redirects, indicating an expansion of
the threat actor’s footprint.

Also put to use are pseudo-short URL domains that masquerade as
popular URL shortening tools like Bitly, Cuttly, or ShortURL but in
reality direct visitors to sketchy Q&A sites.

Sucuri said the redirects landed on Q&A sites discussing
blockchain and cryptocurrency, with the URL domains now hosted on
DDoS-Guard^[3], a Russian internet
infrastructure provider which has come under the scanner for
providing bulletproof hosting services.

“Unwanted redirects via fake short URL to fake Q&A sites
result in inflated ad views/clicks and therefore inflated revenue
for whomever is behind this campaign,” Martin explained. “It is one
very large and ongoing campaign of organized advertising revenue
fraud.”

It’s not known precisely how the WordPress sites become infected
in the first place. But once the website is breached, the threat
actor injects backdoor PHP code that allows for persistent remote
access as well as redirect site visitors.

“Since the additional malware injection is lodged within the
wp-blog-header.php file^[4]
it will execute whenever the website is loaded and reinfect the
website,” Martin said. “This ensures that the environment remains
infected until all traces of the malware are dealt with.”