Ddos 
Image: Sucuri
A new and stealthy malware campaign is targeting WordPress sites, turning trusted pages into billboards for online gambling without the site owner’s knowledge. Security analyst Puja Srivastava from Sucuri has detailed a sophisticated technique dubbed “directory shadowing,” where attackers create physical folders on the server to hijack legitimate URLs.
The attack is particularly insidious because it is invisible to regular visitors and administrators. “Instead of normal titles and descriptions, Google was displaying casino and gambling-related content,” the report notes. Yet, when the site owner checked, everything looked normal.
The core of this attack relies on how web servers prioritize files. Attackers created physical directories that matched the WordPress site’s existing permalinks—for example, creating a real folder named /about-us/ to hijack the virtual URL example.com/about-us/.
Because servers like Apache and Nginx serve physical files first, the attacker’s content loads instead of the WordPress page. “The ‘new’ element here was the use of directory shadowing… This allowed the attacker to fully hijack specific pages without modifying the actual WordPress configuration,” Srivastava explains.
Inside these hidden folders, the researchers found three files:
- index.php: The controller logic.
- indexx.php: A clean copy of the original page to show regular visitors.
- readme.txt: The malicious spam content.
The malware included specific logic to identify search engine crawlers. By checking the User-Agent string for terms like “Googlebot,” the script decided which content to serve.
“When the request matched a Google-related User-Agent, the malware loaded the contents of the readme.txt file and printed it directly to the browser,” the report states.
This readme.txt file was deceptive in its own right. It contained over 600 lines of HTML designed to look like a high-authority e-commerce site, using “stolen CSS and metadata from Etsy to look legitimate to automated systems”. This effectively tricked Google into indexing the page as a highly-rated product listing for Indonesian gambling sites.
To remove the infection, administrators must look beyond the WordPress dashboard. The fix involves deleting the malicious physical directories that mirror the site’s permalinks.
Srivastava advises site owners to be vigilant: “Seeing spam there immediately raised concern… The strongest indicator in this case was the presence of directories named after WordPress page permalinks”. After cleanup, requesting a re-index from search engines is crucial to restore the site’s reputation.
Donate