Avast is warning about a longstanding black hat SEO campaign involving sites running hacked WordPress and Joomla installations.
In this latest campaign, the attackers inject a fake jQuery script into the head section of the websites, so that it goes unnoticed by random visitors (unless they check out the source code and know enough to spot it).
The script loads 10 milliseconds after a visitor lands on a compromised site/page, and it injects links inside its source code. As you probably guessed, the links point to different sites that consequently get a better search ranking (search ranking improves with every new link to the site).
According to researcher Alexej Savčin, fake jQuery injections have been very popular among hackers.
“The number of hacked domains is abnormally high, which is why this kind of attack was and still is very popular on a daily basis,” he noted. “From November 2015 we registered over 4.5 million users who encountered this infection. Malicious code was found in almost 70 million unique files on hacked websites.”
Most of the malicious injection targets are located in the Russian Federation, Brazil, the US, France and Poland.
Savčin does not say how the WordPress- and Joomla-powered websites are compromised in the first place, but exploitation of vulnerabilities in the CMS and plugins, as well as stolen or brute-forced passwords to the installation’s admin panel are the most likely ways in for the attackers.
Owners and/or administrators of sites running on those two CMSes would do well to check whether their sites have been compromised. Changing your password is also a good idea – make it long and complex – and so is checking your computer for malware.
Savčin advises admins to keep clean, up-to-date backups of the sites so they can restore them if they ever get compromised. A good way of minimizing that possibility is to regularly update your CMS and plugins.