Aug 9, 2011 14:58 GMT  ·  By

Thousands of hacked WordPress blogs have been used in a recent black hat search engine optimization (BHSEO) campaign on Google Images that directed victims to scareware.

Denis Sinegubko, the creator of the Unmask Parasites website scanner has managed to locate doorway pages associated with this attack hosted on 4,358 compromised blogs.

Doorway pages are web pages filled with content matching targeted search keywords that attackers create on hacked websites.

In the case of Google Images BHSEO attacks, these pages obviously contain pictures with matching keywords.

Search engine crawlers access index them according to the blog's page rank. However, when legitimate users click on the corresponding links in search results, they are redirected to malicious sites.

"The doorway pages rank quite well for some keywords both in Google Web search and Google Images search (especially when you are searching for exact phrases).

"However the malicious redirects occur only when you click on Google Images search results, which proves that Google Images poisoning is the main goal of this black-hat SEO campaign," Sinegubko explains.

The researcher hasn't yet been able to determine how the WordPress blogs were hacked because he couldn't find an affected owner willing to cooperate.

However, a likely explanation is that the recent Timthumb vulnerability was exploited to compromise them. Timthumb is a imagine manipulation script included by default in many popular WordPress themes.

A critical vulnerability which allows attackers to obtain PHP shells on web servers has been identified in the script last week. A new version of Timthumb has since been released and WordPress owners are highly encouraged to manually deploy it instead of waiting for an official update to their favorite theme.

The doorway pages used in this attack direct visitors to a scareware websites pushing fake antivirus software. Sinegubko has more information and technical recommendations on his blog. He also welcomes information from affected webmasters in order to help others protect their websites.