The SEP technique is used to take advantage of Search Engine Result Pages (SERPs) rankings.
The SEP technique is used to take advantage of Search Engine Result Pages (SERPs) rankings.

Sucuri researchers spotted a pornography spam campaign targeting unpatched Joomla vulnerabilities in Search Engine Poisoning (SEP) attacks.

The SEP technique is used to take advantage of Search Engine Result Pages (SERPs) rankings and the threat actors avoid detection by hiding the spam content from normal visitors, according to a Feb, 20 blog post.

Researchers said that by allowing only the search engine crawlers to see them, the spam, keywords and links are indexed for ranking but aren't visible to visitors.

Users are redirected if the website was reached through any search engine result link and in all other cases, the redirects are also being triggered. This set up leaves no noticeable condition of triggering the redirect researchers said in the blog.

“The idea behind this campaign is to simply redirect the website visitors which are coming from an infected site to porn websites to earn visitors and generate click revenue,” Sucuri researcher Bruno Zanelato told SC Media. “This malware campaign cleverly hides its tracks with several layers of obfuscation, making it difficult for webmasters to identify the hack.”

Zanelato said that they haven't found any indication of backdoors or other malicious payloads and that the best way for users to prevent attacks is to ensure that they are using the latest version of Joomla and to use a cloud-based Web Application Firewall.

A Joomla spokesperson told SC Media “this specific issue was quickly identified and resolved by our development teams and resolved in a subsequent release.”

“As long as web site managers follow our recommendations and keep their site updated with the latest Joomla! release, these potential vulnerabilities are mitigated,” the Joomla spokesperson said.