Casino Spam Hidden Malicious WordPress Code, Manipulating Search Engine Algorithms

Published on November 15, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

A WordPress website was found to be hosting a cleverly disguised spam doorway aimed at manipulating search engine algorithms without affecting actual visitors. This incident sheds light on an emerging trend where attackers use subtle yet sophisticated SEO poisoning tactics.

The latest report from Sucuri says the victim's site was manipulated to host spam pages with casino-related links, originating from Indonesia. The malware was concealed using a simple "include" statement within the WordPress theme, referencing a malicious file positioned above the webroot. 

This strategic placement allowed the malware to evade standard detection protocols, presenting significant challenges in identifying and removing the threat.

Casino Spam pages | Source: Sucuri

Such doorways are a form of blackhat SEO, redirecting search engine traffic to spam sites to boost their ranking. Remarkably, this particular malware targeted only bots and crawlers, meaning it operated under the radar, unseen by human visitors. 

This approach not only enhances the effectiveness of the spam but also complicates detection efforts, as human users are less likely to report unseen spam.

Spam Website | Source: Sucuri

By maintaining the victim's domain name, the affected website inadvertently appeared to host a legitimate casino site, with hardcoded links directing traffic to spam domains. The tactic helps maintain the malware's presence while avoiding the scrutiny of human users.

Upon investigation, it was confirmed that core WordPress files remained unaltered. The culprit was identified within the functions.php file of the theme, recently modified to include a seemingly innocuous statement. This minor addition was pivotal in executing the spam doorway operation.

The malware executes by defining a bot function that checks for known bot names within the User-Agent header. If a bot is detected, the script pulls malicious content from a Pastebin, effectively diverting bots to spam pages.

By staying on top of software updates, regularly changing WordPress admin passwords, installing a web application firewall, and limiting access to the WordPress dashboard, you can safeguard your site from these harmful strategies. 

Recently, Sucuri security researchers observed a very difficult-to-eliminate malware campaign affecting WordPress websites by deploying a stealthy backdoor, while more than 6,000 WordPress websites were compromised in October by malicious plugin campaigns that pushed infostealers.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: