Those responsible for the Gootloader target susceptible WordPress websites and place hundreds of pages of fake content, often totally unconnected to the theme of the website. A wide variety of websites have been impacted across many industry sectors, including retail, education, healthcare, travel, music, and many more, with the common denominator that they all leverage the WordPress CMS.
It is not yet known how the WordPress sites have been affected. It is possible that the sites have not been updated to the most recent WordPress version or had vulnerable plugins that were targeted. Legitimate admin accounts could be impact using brute force tactics, or other methods employed.
The content placed on the compromised sites takes the format of forum posts and fake message forums, providing specific questions and answers. The questions are mostly linked to certain types of legal agreements and other documents. A review of the campaign by eSentire researchers found that the majority of the posts on the compromised websites included the word “agreement”. The posts feature a question, such as “Do I need a party wall agreement to sell my house?” with a post added below using the exact same search term that users can click to install a template agreement.
These pages have very specific questions for which there are minimal search engine listings, so when search engines crawl the websites, the content ranks highly in the SERPs for that specific search term. There may be relatively few people searching for these particular search terms on, but most of those that do are looking for a sample agreements to install the software.
The content placed on the websites contains malicious code that displays the malicious forum posts only to visitors from certain places, with an underlying blog post that at first appears authentic, but mostly included gibberish. The blog post will be displayed to all people who are not specifically being focused on.
The campaign is implementing black hat SEO techniques to get the content listed in the SERPs, which will eventually be deleted by the likes of Google; however, that process may take some time.