Report Reveals Large-Scale AdSense Fraud Campaign: Over 10,000 WordPress Sites Infected

In a recent report, cybersecurity firm Sucuri has exposed a massive ad fraud campaign that involves over 10,800 WordPress sites. The black hat redirect malware campaign, which is said to have been active since September 2021, uses more than 70 bogus domains to mimic URL shorteners. The main aim of the campaign is to artificially increase traffic to pages that contain Google ads for revenue generation.

The malware campaign redirects visitors to compromised WordPress sites to fake Q&A portals, potentially increasing the authority of spammy sites in search engine results. The threat actors also use Bing search result links and Twitter's link shortener (t[.]co) service, along with Google, in their redirects. Pseudo-short URL domains that masquerade as popular URL shortening tools like Bitly, Cuttly, or ShortURL direct visitors to sketchy Q&A sites. The redirects land on Q&A sites discussing blockchain and cryptocurrency.

Sucuri noted that the campaign results in inflated ad views/clicks and, therefore, excessive revenue for whoever is behind this campaign. It's still unclear precisely how WordPress sites become infected. Still, once the site is breached, the threat actor injects backdoor PHP code that allows for persistent remote access and redirects site visitors.

Sucuri researcher Ben Martin said the campaign is "one very large and ongoing campaign of organized advertising revenue fraud." As the malware injection is lodged within the wp-blog-header.php file, it executes whenever the website is loaded, which ensures that the environment remains infected until all traces of the malware are dealt with.

The use of Bing search results from links and Twitter's link shortener in their redirects indicates an expansion of the threat actor's footprint. The URL domains are now hosted on DDoS-Guard, a Russian internet infrastructure provider that has come under the scanner for providing bulletproof hosting services.

This ad fraud campaign is a reminder to website owners to remain vigilant about the security of their sites and to keep their software up to date to prevent such attacks.

Thank you for reading our blog today. We hope you found the information helpful and informative. If you enjoyed this blog, be sure to follow us on Twitter, Instagram, Linkedin, GitHub, Website, and Youtube for more exciting content and updates. If you have any questions or comments, please feel free to reach out to us. We would love to hear from you. Don't forget to share this with your friends and family who may also find this information useful. Thank you for your support and stay tuned for more!