When it comes to digital advertising, businesses must be aware of potentially damaging practices and malicious entities who might damage their online reputation instead of helping it. Often, these deleterious methods and individuals will use something called “black hat” SEO, or search engine optimization techniques that aggressively use unapproved tactics to impact a website’s search engine ranking. But while black hat SEO is often nothing more than keyword stuffing or the use of invisible text, it occasionally emerges in more serious forms: for example, Dutch researchers recently reported that they had discovered a group of attackers who tricked websites into downloading components that gave the group remote control of the compromised site.
In a detailed report, researchers at Fox-IT, a cyber-security firm in the Netherlands, describe how they discovered the malware, which they call CryptoPHP: while investigating a client’s website, their team found a compromised plug-in that appeared to be from an approved publisher, Joomla Service Provider. However, the researchers quickly realized that the plug-in had instead come from a third party website, called “nulledstylez.com.” The client had used the site to download pirated website themes and plug-ins, called “nulled” scripts, which can be used on WordPress, Joomla and Drupal. After some investigation, Fox-IT realized that every component on the site contained the same backdoor. Moreover, further research revealed that this wasn’t the only website that offered themes, plug-ins and extensions that secretly contained the malware: the website “dailynulled.com” and several others published similar content that was also backdoored with CryptoPHP.
According to the researchers, CryptoPHP has the capacity to update itself, inject content into compromised sites, and perform several other functions. It carries several hardcoded domains that gives the user access to command-and-control communications, and also uses RSA encryption, which protects its communications with the C2 servers. Some versions even have a backup component which allows it to communicate over email if the C2 domains are taken down. But while this might sound like something out of a technology-filled action movie, Fox-IT says that the malware seems intended to conduct black hat SEO operations: the compromised servers are injected with links and text that connect to the black hat sites, which a search engine interprets as backlinks. This increases the rank of the sites controlled by the attackers or their customers, making them look legitimate.
This case is only the most recent reason website publishers should avoid downloading unfamiliar or possibly untrustworthy elements to their websites. This is especially true when it comes to design components and plug-ins: not only could the scripts potentially damage your website and search engine ranking, but will never equal the results of a professional web design. For these reasons, SEO experts typically recommend that businesses hire non-black hat SEO services to help promote their websites.
“This is true since Google changed its algorithm last October,” says Matthew Cook, SalesHub. “If you are using any black hat SEO tactics, knowingly or otherwise, Google will punish those links and ultimately hurt your website presence. We saw a dramatic decline in website traffic of our competitors as a result of this update and many of them never recovered. This software could save the online reputation of companies using it and potentially hundreds of thousands of dollars from customers they never would have acquired.”
Fox-IT believes that the malware attack may date as far back as September 2013. Currently, they have traced the attack to an IP address in Moldova, but the C2 servers are apparently located in the Netherlands, Germany, Poland and the United States. Thousands of plug-ins have reportedly been backdoored.
Even more frighteningly, the malware appears to have been updated multiple times without being noticed: Fox-IT says the first version, 0.1, seems to have gone live on September 25, 2013, but the attackers are currently using CryptoPHP 1.0a, which was released on November 12, 2014. The research team says it cannot determine the exact number of websites that have been affected, but estimate the number to be at least a few thousand.