Recently, a new attack campaign responsible for adding phony keywords in the titles of vulnerable WordPress sites was discovered. The attackers added “1800ForBail” or “1800ForBail – One+Number” in the titles of the compromised sites. Most of the sites targeted in this campaign were compromised after June 12, 2019. The threat actors behind the campaign changed the “blogname” setting in WordPress to modify the titles.
This campaign was discovered by Kaushal Bhavsar, a malware analyst for Sucuri.
Two separate attacks in tandem
Sucuri observed that the campaign had two active attacks in the making. “These seem to be two separate attacks. One of them (siteurl/home) redirects visitors to scam sites (tech support and push notification scams), while the other changes blog titles — a black hat SEO technique used to gain more visibility for the brand of the ‘bail service’,” read the blog by the security firm.
As for mitigations, WordPress site owners affected in this campaign are advised to update all their plugins and themes as well as change the “blogname” option to prevent them from being reinfected.