Spambot Targets WordPress with Spray and Pray

Written by

Researchers at Imperva published their discovery of a new comment spam campaign that is leveraging the popularity of the World Cup to trick people into clicking on links that take them to shady betting sites.

The campaign, which mainly targets WordPress sites, is launched by a botnet and implemented in the form of comment spam. Despite its being one of the oldest tricks in the hacker’s book, comment spam is still pretty popular.

The comments appear to be little more than meaningless, generic text generated from a template and posted in the comment sections of blogs and news articles. When researchers sifted through the comments, they discovered a pattern: The linked sites offered betting services on 2018 FIFA World Cup matches.

Using the spray-and-pray technique, the spambot attempts to post a comment to the same URI across multiple sites, even those sites that might be vulnerable or don’t have a comments section. Researchers found that the top 10 links advertised by the botnet lead to World Cup betting sites, with eight of those top advertised sites containing links to the same betting site.

“In the weeks before the World Cup, the botnet had emphasized other, non-spam attacks, including unsuccessful attempts to invoke remote code execution (RCE) via PHP and to abuse unrestricted file upload to WordPress sites,” the researchers wrote.

Commenting on the discovery, Johnathan Azaria, security researcher at Imperva, said, “Our research once again highlights that attackers follow public trends and essentially go where the money is."

“In this campaign, attackers are taking advantage of the popularity of the World Cup. Anyone who visits the betting sites could easily be duped into handing over sensitive information to attackers,” Azaria said.

Researchers suspect that this is a botnet for hire, orchestrated by the betting sites in an attempt to increase their SEO and "reflects how malicious or unsolicited campaigns tend to intensify during events that draw large audiences who keep track of developments online, are enticed to purchase products online from sponsoring organizations or both," said Chris Olson, CEO of The Media Trust.

What’s hot on Infosecurity Magazine?