Google Image Search been known to lure users to compromised sites before.

A large contributing factor is that these sites often use the WordPress, which is infamous for the great number of security bugs that make it such a perfect target.

This once again was pointed out by security researcher Denis Sinegubko, who found over 4000 WordPress blogs hijacked by unknown attackers and filled with popular search keywords and images that redirect users to sites which contain drive by mal-ware download exploits.

Each compromised site can contains over 100 different doorway pages; URLs that follow a simple pattern: “hxxp:///?

[a-f]{3}= , where [a-f]{3} is a combination of three letters “a” through “f” and the is a hyphen-separated combination of keywords that contain either word picture or pictures“. The end destination of the scam are a number of .in domains that are changed every so randomly, but mostly point to the same IP address of some server resolving to the UK. The served malicious executable is a bogus solution names Security Scanner and the file is repackaged every day in order to elude most AV solutions. Current detection rate is estimated at about 18%

“The doorway pages rank quite well for some keywords both in Google web search and Google Images search (especially when you are searching for exact phrases),” says Sinegubko. “However the malicious redirects occur only when you click on Google Images search results, which proves that Google Images poisoning is the main goal of this black-hat SEO campaign.”

Its a mystery how the sites get compromised in the first place, since they have different owners and are hosted by different hosting providers. They only thing they have in common is that they are all WordPress blogs.

“Many of them are up-to-date (run the latest version of WordPress). So it’s neither a server-wide hack, nor an intrusion via stolen site credentials (otherwise we’d see many non-WP sites). At the same time, it is not a core WP hack. In my experience, this usually means that hackers used some backdoor script,” Sinegubko concludes, pointing out that many of the sites also use the timthumb.php script, which has been recently discovered to contain a bug that allows attackers to upload content onto the sites using it.

Webmasters of compromised blogs are advised to check site statistics for suspicious requests, sift through access logs and scan files present on the server on a regular basis and, in this case, to search for rogue rules in .htaccess files in the site root and above the site root directory – evidence of the compromise.