Face Mask Spam Links Injected in WordPress Database

Sucuri Labs

During a recent malware removal request, we found a compromised WordPress site being used to redirect to spam websites. The campaign was leveraging an increase in search queries related to face masks.

To make their campaign more difficult to detect and boost SEO rankings, the attackers use a multitude of compromised third-party websites to funnel their traffic. They also use the World Health Organization name and images to add credibility to their campaign.

World Health Organization spam image

Spam links are injected into the widgets section of the wp_options database, resulting in the compromised environment linking to third-party sites trying to rank for face mask search terms.

Face mask spam links

The spam links have been set to conceal themselves from website visitors using <div style="display:none;">, all of which lead to the Shopify website https://lundybright[.]fr/ which was registered on March 2nd.

Compromised websites impacted by this spam campaign can use our hacked website cleanup guide to remove the infection.