AdSense Fraud Campaign: Is your site infected?

Last fall, website security and performance specialists Sucuri reported on a malicious malware campaign targeting thousands of WordPress sites. The threat actors’ goal: to redirect visitors from WordPress pages to fake Q&A websites. And while these sites did not have any valuable or helpful information, they did include Google AdSense advertisements. It seemed to be an effort to inorganically increase website traffic and in turn, ad views, to create revenue.

Sucuri first suspected this activity in September 2022, when their SiteCheck remote scanner detected the operation on 10,890 infected sites. It was first exposed in November 2022 and has already been making rounds this year. Sucuri’s SiteCheck detected over 2,600 sites early February alone.

Concerned about your WordPress site? Read on to learn about Google AdSense, how attackers hack these sites, redirect visitors, and take advantage of AdSense Ads. We’ll also recommend security measures you can set up to protect your website from AdSense Fraud.

So, what exactly is Google AdSense?

Google makes it easy for website publishers to earn money just from their online content. On the marketing side, advertisers create and pay for advertisements to promote their products. A website owner adds available space to their site to host these ads. This is done by pasting code in a site’s layout file, indicating where to put them on the page. Advertisers bid in real time to show in that available ad space. When bidding is over, the highest paying ads then display on the website.

From there, Google takes the reins. AdSense places ads supplied by Google into the site’s available advertisement space. Only related ads targeting a page’s content or audience display on the website. The site publisher can then earn money based on ad impressions or clicks. Not to be confused with ad clicks, ad impressions count for how many times an ad was viewed. The number of times a banner or button is clicked count for ad clicks.

Now that we know about Google’s advertisement program, let’s dig into how attackers access and redirect these sites.

How are cybercriminals hacking into WordPress Sites and redirecting traffic?

The threat actors behind the AdSense Fraud campaign begin by breaching a WordPress website on the backend. If a site publisher is lucky, a hacker might only inject redirect code into web pages of the victim websites. This is what brings visitors to the bogus Q&A sites, instead of their intended destination.

But some affected sites are subjected to something much worse: unrestricted unapproved access. This is done by injecting a backdoor PHP code, a widely used scripting language, into multiple core site files. Once executed, the code downloads shells from a remote domain. These shells are what allow for continuous remote access of some sites. Removal of the infection is necessary to prevent this unauthorized access. Otherwise, a malicious loop exists, re-injecting the malware every time the site loads. But how is that possible? The core files mentioned, which include wp-blog-header.php (the header file) for example, load every time a viewer accesses a page. This means that when the infected website loads, the compromised core files execute the code again (and again). This is what keeps these sites in the claws of cybercriminals.

Regardless of how bad the infection is, the intruder gets their intended result: traffic redirection.

The End Goal: Advertisement Fraud

The fake Q&A websites that viewers unknowingly get redirected to from hacked WordPress pages are of low-quality. The redirected site topic tends to be about cryptocurrency or blockchain, but the information is useless. What is important to note is that they contain advertisements delivered by Google AdSense. These sites wouldn’t necessarily generate organic traffic on their own and that’s where the fake URL redirect comes into play. Redirecting viewers pump traffic to these fake pages, resulting in an increase in ad views, and potentially, clicks. The more impressions and clicks, the more money the website owner earns. If advertisers have the impression that site visitors are seeing their ads, it doesn’t matter where views or clicks come from. This creates inflated profit for whomever is behind the AdSense Fraud campaign.

Google denounces malicious behavior in their AdSense documentation. Their spam policies specifically mention black hat SEO techniques – unethical tactics used to get sites ranked higher in search results. In this campaign’s case, hacking WordPress websites via back doorways with redirects are defined as “injected malicious code that redirects some users to harmful or spammy pages.” If a site’s been hacked, Google encourages filing a search quality user report. They also have a support page on how to fix hacked sites. It is also possible that this is beyond the scope of do-it-yourself troubleshooting and a site owner may need to hire an IT professional to assist in fixing their website.

What can I do to protect my site against this potential threat?

Google AdSense Fraud is one huge and ongoing campaign of organized revenue fraud. There’s a possibility that these cybercriminals may hack into your WordPress site… that is, if they haven’t already. We highly suggest you protect yourself from this potential threat to prevent your page from becoming a statistic. If you haven’t already, take the necessary steps below to protect your website:

• Change your password. Create a strong password that has a mixture of letters, numbers, and symbols with at least 12 characters. Don’t use passwords you’ve used before, common words, sequences, or patterns.
• Update any plugins or software that you have on your WordPress site. Outdated software is vulnerable to cyberattacks. Not sure if your plugins are up to date? Our team can help you determine what needs an update.
• Enable two-factor authentication (2FA) or multi-factor authentication (MFA). Ask us about the MFA solutions we offer – let’s make your environment more secure!
• Put your website behind a firewall. Unsure as to how to implement this? Our team can evaluate your environment and choose the right option for you!

Attackers behind this black hat redirect malware and Google AdSense Fraud campaign have scaled up. If you believe that you have a breached WordPress site or have concerns about your system or network, our team is happy to help. We can assist you with the action items listed above to keep your website and environment protected from cyberattacks.

An even better solution beyond enabling security settings and features? Ask us about our privately-hosted Cloud Desktop solution! Hosted in a secure data center, data stores are in the Cloud and not on a physical device. This makes it extremely difficult for hackers and other unauthorized individuals to access sensitive files, information, and assets. Enhanced security and privacy features are only one of many, but very significant, benefits of a Cloud Desktop. For information on how to secure your data and protect your domain reputation, contact a member of our sales team by calling (949) 522-7709 or email us today.