Is Your WordPress Website Distributing Malware in Google Image Search?

Is Your WordPress Website Distributing Malware in Google Image Search?

lead graphicWell, is it? Is your answer – “what the hell are you talking about?”

It turns out that thousands of hacked sites are infecting Google image search results with images redirecting to Fake AV sites. And, unfortunately for you and for me, WordPress sites are a prime target for this kind of attack. A PHP injection into a WordPress site can generate spammy websites, hijack Google Image SERPs and result in your WordPress website tossing unsuspecting Google Image searchers to a FakeAV site.

Depressing, right? Might be time to check your website to see if it’s been hijacked in this way.

The issue was raised by Bojan Zdrnja, an Internet Storm Center researcher, who reported that he had been receiving a lot of emails about people being infected by Google Image search results.

Russian internet security researcher Denis Sinegubko looked in even more detail into it, highlighting the problem in this post on his blog. He says the following:

The attack uses cloaking to feed keyword-rich pages with hot-linked images to search engine bots and return a malicious JavaScript that redirects to fake AV sites to visitors that come from search engines.

How Does it Work?

For all of the nitty-gritty details, check out Denis’ in depth post. But for you and me, here’s how it works:

1. Stolen FTP Credentials are used to upload a malicious PHP file to your website.

2. Spammy websites are generated on-the-fly. As they are keyword rich they appear in the first page of Google’s image search and web SERP.

3.  Link farm is created – free blogs are registered linking to the spam sites, which are all interlinked themselves.

4. User searches in Google Image search and unknowingly clicks on one of the images and the exploit happens. You know that page where the image appears as a thumbnail with the webpage behind it? Your browser automatically sends a request to the bad page which runs the attacker’s script. The browser is redirected to the FakeAV site.

What Can We Do?

Of course, part of the responsibility is with Google to ensure that their search results don’t get filled up with spam. But Webmasters also need to take responsibility to make sure that their site isn’t hacked – especially if it is propagating malware around the internet. Here’s some advice for WordPress users about how to protect your website:

1. Don’t Save Your FTP Password

Your FTP password is not safe sitting around in FileZilla or any number of other FTP programs. In FileZilla, for example, password are stored as plain text. This makes them accessible by any malware that is running on your computer. You could try a secure FTP program like WinSCP.

2. Scan Your Website

Regularly check your website with a plugin such as Donncha O’Caoimh’s Exploit Scanner.

3. Scan Your Server

Make sure there are no folders on your server that you don’t recognize.

4. Be Aware of Your Keywords

Use Google Webmaster Tools to check what keywords are being used to find your website. If there are strange search terms popping up then you know you might have a problem.

5. Stay Malware Free

Keep your computer malware free. This will prevent rogue programs from stealing passwords and other information you have stored. There are lots of free programs that will help you do it – try Avira, Spybot and AdAware. You should have a firewall installed – Zone Alarm and Comodo are popular. If you are infected you can visit a forum like Bleeping Computer where there are experts on hand to help with malware removal.

6. Stay up-to-date

Keep your computer up-to-date with all of the latest software updates. This means you’ll be covered by any security patches that have been released.

This problem highlights just how important it is for webmasters to use the internet responsibly. If you are concerned about browsing the internet safely you can use the FireFox Addon Noscript which will prevent scripts from running in your browser.