Security researchers have identified a malicious campaign against WordPress sites. The campaign uses known vulnerabilities in WordPress themes and plugins, and has affected thousands of websites.
Malicious Campaign Compromises WordPress Sites: the Details
According to data shared by PublicWWW, at least 6,000 sites were infected in April alone. However, since the PublicWWW data only shows detections for simple script injections, Sucuri researchers believe that the scope of the campaign is “significantly larger”.
The investigation was initiated by owners of WordPress sites complaining about unwanted redirects. These redirects were found to be connected to a new wave of this previously known massive operation, and were redirecting website visitors via numerous redirects to serve them unwanted ads.
According to Sucuri’s investigation, all these WordPress sites suffered from a common problem – malicious JavaScript injected within the sites’ files and the database, including legitimate core WP files, such as:
./wp-includes/js/jquery/jquery.min.js
./wp-includes/js/jquery/jquery-migrate.min.js
This could allow the attacker to redirect visitors to any online destination. The end of the redirect chain could load advertisements, phishing pages, or even malware. It could also initiate another set of intrusive redirects, the researchers said.
For example, one such page found at the end of the redirect chain, tricked users into subscribing to push notifications. It involved a fake CAPTCHA. Upon agreeing, users would get flooded with ads. These ads would look like they come from the operating system, not the browser, the researchers said.
This is a great illustration of how browser redirects can turn out to be malicious. We write daily about such threats that prompt users to agree to receive push notifications.
“At the time of writing, PublicWWW has reported 322 websites impacted by this new wave for the malicious drakefollow[.]com domain. Considering that this count doesn’t include obfuscated malware or sites that have not yet been scanned by PublicWWW, the actual number of impacted websites is likely much higher,” Sucuri concluded.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: