Security researchers identified a new wave of attack campaigns that target insecure Joomla site installations with porn spam content.
Unpatched Joomla Sites Targeted With Porn Spam
Computer security experts from Sucuri uncovered a dangerous new spam campaign which targets primarily insecure Joomla sites. The hackers take advantage of running instances that feature security weaknesses as they run outdated versions or non-maintained modules or scripts.
The hackers behind the campaign use Search Engine Result Pages (SERPs) rankings to discover possible targets. The hackers employ covert attacks which institute spam keywords and content that are related to pornography and can be classified as spam. However the malicious additions are not explicitly visible to the visitors of the compromised sites. The primary aim of the campaign is to abuse the various search engines into increasing the rank of specific hacker-controlled porn sites.
The primary motivator for the attack campaign is income generation by click revenue networks. The visitors are tricked into interacting with various pop-ups and hyperlinks which generate income for the hacker operators. In addition they may deliver various forms of dangerous malware such as browser hijackers and ransomware. So far the studied malware show that the payloads were hidden in several layers of obfuscation which have detection difficult. The carried attacks have not revealed the use of malicious payloads. We suspect that this will change in the future as the campaign unfolds further.
Further Details About The Porn Spam
The attack campaign in question takes advantage of a dangerous blackhat SEO tactic which is used to increase search engine ranking. The following symptoms are attributed as signs of an active infections:
-
The visitors are redirected to third-party sites when the infected sites are found via search engine queries.
-
Other site interaction can also lead to the porn spam campaign.
The analyzed campaign features a site hosted in Latvia with the majority of visitors coming from Japan. Since January 2016 there has been a steady increase of traffic which is attributed to the spam campaign.
The Joomla security team reacted quickly and issued a security update in a timely manner. All site owners should update to the latest version as soon as possible to prevent the hacker attacks. As this is one of the most popular content management systems used globally we expect that the number of affected sites is significant. Experts rate the danger level as very high.