Security researchers have identified a malicious campaign against WordPress sites. The campaign uses known vulnerabilities in WordPress themes and plugins, and has affected thousands of websites.
Malicious Campaign Compromises WordPress Sites: the Details
According to data shared by PublicWWW, at least 6,000 sites were infected in April alone. However, since the PublicWWW data only shows detections for simple script injections, Sucuri researchers believe that the scope of the campaign is “significantly larger”.
The investigation was initiated by owners of WordPress sites complaining about unwanted redirects. These redirects were found to be connected to a new wave of this previously known massive operation, and were redirecting website visitors via numerous redirects to serve them unwanted ads.
This could allow the attacker to redirect visitors to any online destination. The end of the redirect chain could load advertisements, phishing pages, or even malware. It could also initiate another set of intrusive redirects, the researchers said.
For example, one such page found at the end of the redirect chain, tricked users into subscribing to push notifications. It involved a fake CAPTCHA. Upon agreeing, users would get flooded with ads. These ads would look like they come from the operating system, not the browser, the researchers said.
This is a great illustration of how browser redirects can turn out to be malicious. We write daily about such threats that prompt users to agree to receive push notifications.
“At the time of writing, PublicWWW has reported 322 websites impacted by this new wave for the malicious drakefollow[.]com domain. Considering that this count doesn’t include obfuscated malware or sites that have not yet been scanned by PublicWWW, the actual number of impacted websites is likely much higher,” Sucuri concluded.