Pirate themes and plugins for websites running on WordPress, Drupal and Joomla contain a nasty bit of malware that supports the attackers' Search Engine Optimization efforts, CRN reports.
The malware in question is CryptoPHP - a script that allows remote attackers to execute code on web servers, and to have full control of the site. Rather than making itself obvious however, the malware is predominantly used for Black Hat Search Engine Optimization. PC World states that these underhand hand SEO tactics involve "injecting rogue keywords and pages into compromised sites to hijack their search engine rankings and push malicious content higher up in search results." In this instance, the sites involved were casino and gambling websites.
The Dutch government's National Cyber Security Center worked with researchers, allowing them to take control of CryptoPHP command and control domains, which they directed to their own servers to gather some statistics, and the numbers involved are surprisingly high, with 23,693 unique IP addresses infected.
SC Magazine notes that infected sites were predominantly in the USA (8,657 IP addresses), but Germany (2,877), France (1,231), Holland (1,008) and Turkey (749) also had reasonably high numbers of infected websites.
Connections to the command and control domains have been declining, but with the websites hosting the pirated themes and plugins taken down, PC World reports that the attackers have set up new hosts along with a new version of the backdoor malware - 'possibly in an attempt to evade detection.' SC Magazine speculates that the attackers involved "are probably aware that researchers have caught on and may change their strategy."
Gil C / Shutterstock.com