Quote:A clever malware built for SEO injection – where a black hat loads up a webpage with spammy links, redirects and ad keywords, unbeknownst to the site owner – has been seen evading detection with an innovative approach that involves appending itself in an unusual place in the back-end code of a WordPress site.

Researchers at Sucuri have seen the malware crop up in two unrelated sites recently, targeting both English- and Korean-speaking searchers who are looking for various “free” downloads.

Upon analysis, the researchers discovered that the malware has two functions. First, it can add hidden links for indexing by search engines (a process that usually violates search engine terms of service and could result in blacklisting of the site); and secondly, it can redirect site visitors to spam content. The latter function is more advanced than usual, because it only redirects unregistered site users (presumably one-time visitors who wouldn’t flag the issue to the webmaster). And, it redirects visitors to certain pages based on their profile.

So, malefactors can inject SEO terms – hidden from site users – into the web page’s code, which will be indexed and move the site up in the search engine results. That improves the exposure for the true purpose of the campaign, which is to redirect visitors to sketchy external sites, which could be carrying out ad fraud or serving malware, among other things.