Article 68YBN Thousands of Websites Infected to Redirect Users in Google Ads View-Pumping Scam

Thousands of Websites Infected to Redirect Users in Google Ads View-Pumping Scam

by
janrinok
from SoylentNews on (#68YBN)

upstart writes:

WordPress sites infected to redirect visitors to crypto Q&A spam:

Security researchers at Sucuri have spent the last few months tracking malware that diverts users to fraudulent pages to inflate Google ad impressions. The campaign has infected over 10,000 websites, causing them to redirect visitors to completely different spam sites.

Suspect pages often have Q&A forms mentioning Bitcoin or other blockchain-related subjects. Savvy users might assume these sites are trying to sell Bitcoin or other cryptocurrencies, possibly for a pump-and-dump scheme. That may be the case, but Sucuri theorizes that all of the text is just filler content covering up the scam's actual revenue stream, Google ad views.

A clue suggesting this is that many of the URLs involved appear in a browser's address bar as if the user clicked on Google search results leading to the sites in question. The ruse could be an attempt to disguise the redirects as clicks from search results in Google's backend, potentially inflating search impressions for ad revenue. However, it is unclear if this trick works because Google doesn't register any search result clicks matching the disguised redirects.

Sucuri first noticed the malware in September, but the campaign intensified after the security group's first report in November. In 2023 alone, researchers tracked over 2,600 infected sites redirecting visitors to over 70 new fraudulent domains.

The scammers initially hid their real IP addresses using CloudFlare, but the service booted them after the November story. They have since migrated to DDoS-Guard, a similar but controversial Russian service.

The campaign mainly targets WordPress sites, suggesting existing zero-day WordPress vulnerabilities. Moreover, the malicious code can hide through obfuscation. It can also temporarily deactivate when administrators log in. Site operators should secure their admin panels through two-factor authentication and ensure their sites' software is up-to-date.

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments