WordPress Website “1800ForBail - One+Number” Or 1800ForBail, “Blogname” Hack

WordPress Website “1800ForBail – One+Number” Or “1800ForBail”, “Blogname” Hack

Last Updated: 24th July, 2022

On WordPress websites, a weird “Blogname” hack had already come to notice. An enormous number of WordPress websites are appearing as their SEO title/blog name1800ForBail – One+Number” or this “1800ForBail.”

All of this looks like a huge black hat SEO campaign to date. It might be more than that, though.


Nudges: Approaching Towards A More Secure World

Here is how it appears in Google search results:

Here is how it appears in Google search results

The figure below involves, of course, internal pages on compromised websites.

The figure below involves, of course, internal pages on compromised websites.


CCI Inquiry Accused That Google Misemployed Android To Block Its Rivals

Simultaneously, PublicWWW.com returns 692 entries for1800ForBail,” which typically displays one result per domain.

Google’s cache illustrates that after 12th June, 2019, most sites were hacked.

1800ForBail Attack Details

Typically in these cases, hackers change the standard WordPress, setting “blogname” to display desired keywords/titles. This could also be confirmed by the HTML page analysis of these hacked sites. Here is the malicious HTML responsible for this hack in these sites:-

<meta property="og:title" content="Home - 1800ForBail" />
<meta property="og:url" content="hxxps://deliverygoodstrategy[.]com/destiny?tt=2&/" />
<meta property="og:site_name" content="1800ForBail" />


#HowTo Avoid Vulnerability Management Common Mistakes And Reduce Business Risk

The reason that the attacker was able to manipulate these HTML codes could be attributed to plugin vulnerabilities. In most of these cases, the victim sites were using outdated and unpatched plugins and themes. Some of the plugins that were previously found as a culprit in the site URL attacks are WordPress GDPR Compliance, TagDiv themes, Freemius Library (and all plugins that use it), Convert Plus, etc.

Other 1800ForBail Similar Attacks

This blog name attack “1800ForBail” is equivalent to the scenarios we’ve seen in the previous. Cases such as Korean SEO spam, Japanese SEO spam, where hackers modify the URL of a website and make Japanese/Korean keywords to boost site visibility.

The other attack it portrays is the attack on the website’s URL. In Site URL attacks, hacker changes the URL of the hacked websites to that of his domain. The purpose of this is to redirect visitors of the site to his domain.


2021 Cybersecurity Wishlist For CISOs – Answered

Phonewords In Black Hat SEO

These seem to be two separate attacks. One of them (siteurl/home) redirects visitors to scam sites (tech support and push notification scams), while the other changes blog titles — a black hat SEO technique used to gain more visibility for the brand of the “bail service.”

This approach is similar to what we’ve seen in the Korean spam campaign, where hackers flooded search results with links to certain Korean sites without actually linking them. This tricks Google to index any “Not Found” search result pages mentioning respective domain names and relevant keywords on non-hacked WordPress sites.


Wi-Fi 6 Securing Mobile Users: Robust Enhanced Encryption And Security

In the Korean spam campaign, this approach worked because the domain names were very short and people could manually type the domains into the browser’s address bar.

In the case of this new “1800ForBail” campaign, bad actors leverage two distinct features: a simple domain name matching the injected keyword — which makes it effortless for users to manually enter it into their browsers — as well as a toll-free number using the mnemonic phonewordForBail.”

Mitigation Measures

To restore your website from this nightmare, you should change the “Blog title” setting from their WordPress admin interface (or the “blogname” option in the wp_options table). Also, since a lot of trouble arises from outdated & vulnerable plugins/themes, updating them is the most prudent measure.


What Is Malware Flux And How Can You Prevent It?

Hackers constantly find new ways to exploit vulnerabilities in website software. This new “blogname attack” doesn’t break the sites, making it harder to notice the hack if you don’t pay attention to the titles of the open browser tabs. These spam keywords are very prominent in search results, which affects the reputation of the website.

In addition to this, installing a premium and professional website protection or Web Application Firewall (WAF) on your website will make you more immune to defacing attacks like these.

, , , , , , , , , , , , ,
Previous Post
PHP Web Shell Backdoor: Analyzing Scripts And Removing Malicious Codes
Next Post
What Is Sircam Virus And How Its Legacy Began?

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed