WordPress Website “1800ForBail - One+Number” Or 1800ForBail, “Blogname” Hack

WordPress Website “1800ForBail – One+Number” Or “1800ForBail”, “Blogname” Hack

Updated On:

On WordPress websites, a weird “Blogname” hack had already come to notice. An enormous number of WordPress websites are appearing as their SEO title/blog name1800ForBail – One+Number” or this “1800ForBail.”

All of this looks like a huge black hat SEO campaign to date. It might be more than that, though.

new_releases

How To Show Last Updated Date In WordPress Posts

Here is how it appears in Google search results:

Here is how it appears in Google search results

The figure below involves, of course, internal pages on compromised websites.

The figure below involves, of course, internal pages on compromised websites.

new_releases

Website Backdoors: How To Find, Detect, Remove, Prevent Backdoors And Secure Your Website

Simultaneously, PublicWWW.com returns 692 entries for1800ForBail,” which typically displays one result per domain.

Google’s cache illustrates that after 12th June, 2019, most sites were hacked.

1800ForBail Attack Details

Typically in these cases, hackers change the standard WordPress, setting “blogname” to display desired keywords/titles. This could also be confirmed by the HTML page analysis of these hacked sites. Here is the malicious HTML responsible for this hack in these sites:-


<meta property="og:title" content="Home - 1800ForBail" />
<meta property="og:url" content="hxxps://deliverygoodstrategy[.]com/destiny?tt=2&#038;/" />
<meta property="og:site_name" content="1800ForBail" />

new_releases

Amazon’s Alexa Analysts Have Access To Clients’ Home Addresses, Bloomberg Reveals

The reason that the attacker was able to manipulate these HTML codes could be attributed to plugin vulnerabilities. In most of these cases, the victim sites were using outdated and unpatched plugins and themes. Some of the plugins that were previously found as a culprit in the site URL attacks are WordPress GDPR Compliance, TagDiv themes, Freemius Library (and all plugins that use it), Convert Plus, etc.

Other 1800ForBail Similar Attacks

This blog name attack “1800ForBail” is equivalent to the scenarios we’ve seen in the previous. Cases such as Korean SEO spam, Japanese SEO spam, where hackers modify the URL of a website and make Japanese/Korean keywords to boost site visibility.

The other attack it portrays is the attack on the website’s URL. In Site URL attacks, hacker changes the URL of the hacked websites to that of his domain. The purpose of this is to redirect visitors of the site to his domain.

new_releases

Apple WWDC 2018: What To Expect In iOS 12, macOS 10.14, watchOS and More

Phonewords In Black Hat SEO

These seem to be two separate attacks. One of them (siteurl/home) redirects visitors to scam sites (tech support and push notification scams), while the other changes blog titles — a black hat SEO technique used to gain more visibility for the brand of the “bail service.”

This approach is similar to what we’ve seen in the Korean spam campaign, where hackers flooded search results with links to certain Korean sites without actually linking them. This tricks Google to index any “Not Found” search result pages mentioning respective domain names and relevant keywords on non-hacked WordPress sites.

new_releases

Live Chat With Facebook Messenger Plugin Critical XSS Vulnerability Revealed

In the Korean spam campaign, this approach worked because the domain names were very short and people could manually type the domains into the browser’s address bar.

In the case of this new “1800ForBail” campaign, bad actors leverage two distinct features: a simple domain name matching the injected keyword — which makes it effortless for users to manually enter it into their browsers — as well as a toll-free number using the mnemonic phonewordForBail.”

Mitigation Measures

To restore your website from this nightmare, you should change the “Blog title” setting from their WordPress admin interface (or the “blogname” option in the wp_options table). Also, since a lot of trouble arises from outdated & vulnerable plugins/themes, updating them is the most prudent measure.

new_releases

Web Application Maintenance – Building Genuine Resolution

Conclusion
Hackers constantly find new ways to exploit vulnerabilities in website software. This new “blogname attack” doesn’t break the sites, making it harder to notice the hack if you don’t pay attention to the titles of the open browser tabs. These spam keywords are very prominent in search results, which affects the reputation of the website.

In addition to this, installing a premium and professional website protection or Web Application Firewall (WAF) on your website will make you more immune to defacing attacks like these.

Previous Post
PHP Web Shell Backdoor: Analyzing Scripts And Removing Malicious Codes
Next Post
What Is Sircam Virus And How Its Legacy Began?

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Menu

Pin It on Pinterest