Last Updated: 12th September, 2019
On WordPress websites, a weird “Blogname” hack had already come to notice. An enormous number of WordPress websites are appearing as their SEO title/blog name “1800ForBail – One+Number” or this “1800ForBail.”
All of this looks like a huge black hat SEO campaign to date. It might be more than that, though.
Here is how it appears in Google search results:
The figure below involves, of course, internal pages on compromised websites.
Simultaneously, PublicWWW.com returns 692 entries for “1800ForBail,” which typically displays one result per domain.
Google’s cache illustrates that after 12th June, 2019, most sites were hacked.
1800ForBail Attack Details
Typically in these cases, hackers change the standard WordPress, setting “blogname” to display desired keywords/titles. This could also be confirmed by the HTML page analysis of these hacked sites. Here is the malicious HTML responsible for this hack in these sites:-
<meta property="og:title" content="Home - 1800ForBail" /> <meta property="og:url" content="hxxps://deliverygoodstrategy[.]com/destiny?tt=2&/" /> <meta property="og:site_name" content="1800ForBail" />
The reason that the attacker was able to manipulate these HTML codes could be attributed to plugin vulnerabilities. In most of these cases, the victim sites were using outdated and unpatched plugins and themes. Some of the plugins that were previously found as a culprit in the site URL attacks are WordPress GDPR Compliance, TagDiv themes, Freemius Library (and all plugins that use it), Convert Plus, etc.
Other 1800ForBail Similar Attacks
This blog name attack “1800ForBail” is equivalent to the scenarios we’ve seen in the previous. Cases such as Korean SEO spam, Japanese SEO spam, where hackers modify the URL of a website and make Japanese/Korean keywords to boost site visibility.
The other attack it portrays is the attack on the website’s URL. In Site URL attacks, hacker changes the URL of the hacked websites to that of his domain. The purpose of this is to redirect visitors of the site to his domain.
Phonewords In Black Hat SEO
These seem to be two separate attacks. One of them (siteurl/home) redirects visitors to scam sites (tech support and push notification scams), while the other changes blog titles — a black hat SEO technique used to gain more visibility for the brand of the “bail service.”
This approach is similar to what we’ve seen in the Korean spam campaign, where hackers flooded search results with links to certain Korean sites without actually linking them. This tricks Google to index any “Not Found” search result pages mentioning respective domain names and relevant keywords on non-hacked WordPress sites.
In the Korean spam campaign, this approach worked because the domain names were very short and people could manually type the domains into the browser’s address bar.
In the case of this new “1800ForBail” campaign, bad actors leverage two distinct features: a simple domain name matching the injected keyword — which makes it effortless for users to manually enter it into their browsers — as well as a toll-free number using the mnemonic phoneword “ForBail.”
To restore your website from this nightmare, you should change the “Blog title” setting from their WordPress admin interface (or the “blogname” option in the wp_options table). Also, since a lot of trouble arises from outdated & vulnerable plugins/themes, updating them is the most prudent measure.
Hackers constantly find new ways to exploit vulnerabilities in website software. This new “blogname attack” doesn’t break the sites, making it harder to notice the hack if you don’t pay attention to the titles of the open browser tabs. These spam keywords are very prominent in search results, which affects the reputation of the website.
In addition to this, installing a premium and professional website protection or Web Application Firewall (WAF) on your website will make you more immune to defacing attacks like these.