Casino Spam Hidden Malicious WordPress Code, Manipulating Search Engine Algorithms

• Attackers compromised WordPress websites via subtle SEO poisoning tactics.
• The website hosted spam pages with casino-related links, while the malware targeted only bots and crawlers.
• Hiding the malware in an "include" statement within the WordPress theme helped evade standard detection protocols.

A WordPress website was found to be hosting a cleverly disguised spam doorway aimed at manipulating search engine algorithms without affecting actual visitors. This incident sheds light on an emerging trend where attackers use subtle yet sophisticated SEO poisoning tactics.

The latest report from Sucuri says the victim's site was manipulated to host spam pages with casino-related links, originating from Indonesia. The malware was concealed using a simple "include" statement within the WordPress theme, referencing a malicious file positioned above the webroot. 

This strategic placement allowed the malware to evade standard detection protocols, presenting significant challenges in identifying and removing the threat.

Such doorways are a form of blackhat SEO, redirecting search engine traffic to spam sites to boost their ranking. Remarkably, this particular malware targeted only bots and crawlers, meaning it operated under the radar, unseen by human visitors. 

This approach not only enhances the effectiveness of the spam but also complicates detection efforts, as human users are less likely to report unseen spam.

By maintaining the victim's domain name, the affected website inadvertently appeared to host a legitimate casino site, with hardcoded links directing traffic to spam domains. The tactic helps maintain the malware's presence while avoiding the scrutiny of human users.

Upon investigation, it was confirmed that core WordPress files remained unaltered. The culprit was identified within the functions.php file of the theme, recently modified to include a seemingly innocuous statement. This minor addition was pivotal in executing the spam doorway operation.

The malware executes by defining a bot function that checks for known bot names within the User-Agent header. If a bot is detected, the script pulls malicious content from a Pastebin, effectively diverting bots to spam pages.

By staying on top of software updates, regularly changing WordPress admin passwords, installing a web application firewall, and limiting access to the WordPress dashboard, you can safeguard your site from these harmful strategies. 

Recently, Sucuri security researchers observed a very difficult-to-eliminate malware campaign affecting WordPress websites by deploying a stealthy backdoor, while more than 6,000 WordPress websites were compromised in October by malicious plugin campaigns that pushed infostealers.