Researchers uncover new webspam campaign that targets South Korean users

• Doorway scripts in this campaign checks for users who use a Korean version of search engines and have Korean as their default browser language.
• The spam campaign primarily themed around prostitution, online gambling, and a fashion apparel brand.

Security researchers from Sucuri have identified a new spam campaign making rounds lately. Strangely, it only targeted users from South Korea. According to Sucuri researchers, doorway pages were extensively deployed in this campaign for users who used a Korean version of search engines, as well as had Korean as their default browser language. In fact, the researchers suggest that other website owners are affected by this campaign since it could manipulate search results.

Key highlights

• Sucuri researchers uncovered this Korean language focused campaign when they came across an infected WordPress index.php file. Upon analysis, they found that the PHP code had a spam doorway generator.
• This doorway generator could retrieve spam content from a third-party server, then caches it on a compromised server and displays doorway pages. Interestingly, it also checks for users who use search engines with .kr domain and have set Korean as the default language in browsers.
• In addition, a base64-encoded string downloaded by the researchers from a URL (associated with the campaign) contained a configuration array file. This file contained close to 3,000 keywords, links, and injection patterns.
• The keywords found in this array were associated with three sub-campaigns. Sucuri identified the domains and keywords related to these activities.

Worth noting

On top of targeting Korean users, the threat actors leveraged non-hacked WordPress sites in their act of spamming search engines.

“In addition to common black hat SEO tactics, this campaign uses a very interesting (and disturbing for WordPress users) approach to spamming search engines. The configuration files contain lists of 500 random (and uncompromised) WordPress sites with the following format: http://example.com/?s=[content],” said Sucuri’s blog. This led to indexing spam pages in search engines.