In a blog post published last Friday, Sucuri cited a recently discovered scheme in which bad actors inject a ./blog folder full of malicious PHP files into a compromised website. Although the folder appears to be a legitimate blog directory, when accessed with a web browser it displays an "essay spam" website. "What makes it even more interesting is the fact that every time you reload the page, it shows a completely different essay website," the blog post explained.
Sucuri first began looking into this technique late last year. "Instead of injecting the malware into an existent theme/plugin file to generate the spam, they added everything into a very common directory name (blog) to trick the user into thinking that the directory is valid and it shouldn't be touched," explained Sucuri remediation lead and blog post author Fernando Barbosa, in an email interview with SC Media.
The PHP code contained within the subdirectory files gathers various data from the compromised websites' visitors – including user agent, IP address, referrer and HTTP Accept-Language – and sends it to the malicious URL gotopplz[.]xyz, Sucuri noted. In response, this domain uses the JSON data interchange format to fetch content from various essay spam sites. The web security company also observed the presence of two variables sent to gotopplz[.]xy that is likely used to identify and track individual spam campaigns in order to allocate profits generated from the illicit ad views to the correct parties.
As a measure to prevent search engines from detecting the essay spam, the script returns a "404 Not Found" error for user agents such as Googlebot and MSNbot, Sucuri further reported. Moreover, if the script is unable to successfully retrieve content from the malicious server, the PHP code will instead display a full HTML page displaying the essay-writing ads, ensuring the site visitor is still subjected to the spam content.
SC Media has contacted Sucuri for additional details.