New attack campaign targets vulnerable WordPress sites to alter their titles

• The campaign was found responsible for adding “1800ForBail” or “1800ForBail – One+Number” keywords to titles of hundreds of WordPress sites.
• It was reported that the attackers in the campaign exploited vulnerabilities in WordPress plugins to load malicious code from the targeted sites.

Recently, a new attack campaign responsible for adding phony keywords in the titles of vulnerable WordPress sites was discovered. The attackers added “1800ForBail” or “1800ForBail – One+Number” in the titles of the compromised sites. Most of the sites targeted in this campaign were compromised after June 12, 2019. The threat actors behind the campaign changed the “blogname” setting in WordPress to modify the titles.

This campaign was discovered by Kaushal Bhavsar, a malware analyst for Sucuri.

Worth noting

• As per the researcher's analysis, a Google search for “1800ForBail” query garnered over 158,000 results. Google’s cache indicated that most of these sites were compromised after June 12, 2019.
• It was reported that the attackers widely exploited vulnerabilities in various WordPress plugins that would allow them to load malicious code on targeted sites.
• Old versions of plugins such as WordPress GDPR Compliance, TagDiv themes, Freemius Library, and Convert Plus, among others, are known to be exploited.
• It is also believed that the “1800ForBail” campaign is part of a large-scale campaign, that aims at exploiting newly found flaws in WordPress.

Two separate attacks in tandem

Sucuri observed that the campaign had two active attacks in the making. “These seem to be two separate attacks. One of them (siteurl/home) redirects visitors to scam sites (tech support and push notification scams), while the other changes blog titles — a black hat SEO technique used to gain more visibility for the brand of the ‘bail service’,” read the blog by the security firm.

As for mitigations, WordPress site owners affected in this campaign are advised to update all their plugins and themes as well as change the “blogname” option to prevent them from being reinfected.