A campaign that infects websites with malware to redirect traffic to fraudulent Q&A sites has now spread to 10,890 websites, with a staggering 2,600 newly infected sites added just this year.
The landing sites feature Google AdSense placements, generating ad views and revenue for the operators.
Security company Sucuri has been tracking this campaign since last year and reports that its activity is now surging again. In a report published recently, the firm has detected 70 new domains used in the campaign that masquerade as URL shorteners.
The role of these sites is to redirect visitors to the money-generating landing pages, but if someone enters the URL manually, they are instead redirected to legitimate URL shortening services like Bitly, Cuttly, and ShortUrl.at.
Sample of URL shortening sites
Sucuri Operational Resilience
Apart from the large number of sites used in the campaign, which give it a certain level of stability against disinfections and takedowns, the operators have adopted some measures to ensure resilience.
First, they have now migrated from CloudFlare, which was used previously as the network protection service provider, to DDoS-Guard, a controversial Russian service that has garnered attention for its association with malicious platforms.
Secondly, the campaign operators are using multiple AdSense IDs on the infected sites to reduce the risk of losing large amounts if any of them are discovered as fraudulent and blocked by Google.
Thirdly, the redirections abuse Google Search to make it appear as the traffic is legitimate, evading detection from network security tools