Fake WordPress Plugin Impacts SEO

Injecting malware via a fake WordPress plugin has been a common tactic of attackers for some time. This clever method is often used to bypass detection as attackers exploit the fact that plugins are not part of the core files of a WordPress site, making integrity checks more difficult. Attackers often hide the malicious plugin from the WordPress dashboard as well, which can make them harder to track down. Additionally, when creating fake malicious plugins, attackers give the plugin an innocent sounding name so the directory is easily overlooked.

Casino SEO Spam

Spam impacting SEO is quite common and comes in a variety of forms. There is some spam that targets site to promote casinos, pharmaceuticals, and more. This tactic is nothing new and has been going on for some time. What makes this particular sample of malware stick out is the innocent naming convention of the spam and the placement of the malware. The attackers that crafted this malware used the following techniques:

• Created a fake plugin to hide within legitimate plugins in the wp-content/plugins folder
• Named itself an innocent looking name to avoid detection, security-wordpress
• Encoded sections of the code to make it more difficult to track
• Used an innocent looking domain to contain multiple spam links

Attackers are coming up with new techniques daily to avoid detection as long as possible to keep their malware active. This particular piece of code is a prime example of the ever evolving landscape of malicious content, specifically SEO related spam.