Home > Security > Security News

Fake ‘Security WordPress’ Plugin Injects Casino Spam, Improving SEO of Attacker’s Website

Published on February 27, 2025
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

Attackers used fake plugins to insert casino spam, compromising website functionality and search engine rankings. This attack bypasses integrity checks and remains hidden from unsuspecting website admins by mimicking legitimate plugins in the WordPress directory.  

The latest reported incident involves spam links related to online gambling being injected into the footer of a WordPress site. 

These links are pulled from a malicious URL—“jsscript[.]top”—via encoded scripts contained in the fake plugin named “Security WordPress,” as detailed by Sucuri.

Output Received After Using the PHP Decoder, UnPHP.
Output Received After Using the PHP Decoder, UnPHP | Source: Sucuri

Masquerading as a seemingly harmless plugin, the malicious software avoids detection by using techniques like obfuscation and single-file execution. This ensures that even thorough integrity checks within WordPress fail to detect the malware.

JSON File Output with Spam Links.
JSON File Output with Casino-Themed Spam Links | Source: Sucuri

The attack begins with an XOR decryption function that reveals an encoded URL. From there, the plugin uses cURL functions to retrieve external JSON data containing a list of spammy links. 

The malware then decodes, shuffles, and inserts these links into the website footer for both visitors and search engine crawlers to find.  

Such actions appear to serve three primary purposes for attackers – Black Hat SEO, traffic redirection, and paid link schemes.

The attacker's domains improve their search rankings by creating backlinks from legitimate websites. Users clicking these links are redirected to potentially harmful websites, and attackers may profit from selling these placements to unscrupulous entities. 

Another Sucuri report said a compromised WordPress site was manipulated to host spam pages with casino-related links. The malware was concealed using a simple "include" statement within the WordPress theme, referencing a malicious file positioned above the webroot.


Add a Comment
Related
ChatGPT-4o Flooded with User Images to Generate Studio Ghibli Style Portraits Raising Security Concerns
ransomware actor
Medusa Extorts Construction Service Provider O’Shea Builders Demanding $350,000 in Ransom
Walmart Owned Sam’s Club Investigates Clop’s Ransomware Claim
BreachForums Vendor Puts GitHub Usernames and Emails on Sale on the Dark Web
A hacker trying to do phishing attack
Phishing Campaigns Target Anti-Kremlin Informants, Russian Citizens, and Ukraine Sympathizers
Whatsapp Privacy Issue
EU Court Adviser Sides with WhatsApp in Privacy Watchdog Dispute Over 2021 Penalty
Most Popular
ChatGPT-4o Flooded with User Images to Generate Studio Ghibli Style Portraits Raising Security Concerns
Warfare
Warfare (2025) Movie: All we know About Alex Garland & Ray Mendoza’s Intense Iraq War Drama
Doctor Who Season 2
Complete Guide for Ncuti Gatwa’s Doctor Who Season 2: Latest Trailer, new Companion, Episode Titles, & more
ransomware actor
Medusa Extorts Construction Service Provider O’Shea Builders Demanding $350,000 in Ransom
The Life List
The Life List Ending Explained: What is the Secret that was kept from Alex?
Walmart Owned Sam’s Club Investigates Clop’s Ransomware Claim
ChatGPT-4o Flooded with User Images to Generate Studio Ghibli Style Portraits Raising Security Concerns
Warfare (2025) Movie: All we know About Alex Garland & Ray Mendoza’s Intense Iraq War Drama
Complete Guide for Ncuti Gatwa’s Doctor Who Season 2: Latest Trailer, new Companion, Episode Titles, & more
Medusa Extorts Construction Service Provider O’Shea Builders Demanding $350,000 in Ransom
The Life List Ending Explained: What is the Secret that was kept from Alex?
Walmart Owned Sam’s Club Investigates Clop’s Ransomware Claim

Most Popular
ChatGPT-4o Flooded with User Images to Generate Studio Ghibli Style Portraits Raising Security Concerns
Warfare
Warfare (2025) Movie: All we know About Alex Garland & Ray Mendoza’s Intense Iraq War Drama
Doctor Who Season 2
Complete Guide for Ncuti Gatwa’s Doctor Who Season 2: Latest Trailer, new Companion, Episode Titles, & more
ransomware actor
Medusa Extorts Construction Service Provider O’Shea Builders Demanding $350,000 in Ransom
The Life List
The Life List Ending Explained: What is the Secret that was kept from Alex?
Walmart Owned Sam’s Club Investigates Clop’s Ransomware Claim
ChatGPT-4o Flooded with User Images to Generate Studio Ghibli Style Portraits Raising Security Concerns
Warfare (2025) Movie: All we know About Alex Garland & Ray Mendoza’s Intense Iraq War Drama
Complete Guide for Ncuti Gatwa’s Doctor Who Season 2: Latest Trailer, new Companion, Episode Titles, & more
Medusa Extorts Construction Service Provider O’Shea Builders Demanding $350,000 in Ransom
The Life List Ending Explained: What is the Secret that was kept from Alex?
Walmart Owned Sam’s Club Investigates Clop’s Ransomware Claim

© 2025 TechNadu, a part of Leaprove Media LLP. All Rights Reserved.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: