Heimdal
article featured image

Contents:

WordPress is a content management system (CMS) that is free to use and open-source. It is built in PHP, and it can be combined with either a MySQL or MariaDB database. Plugin architecture and a template system, which are both referred to as Themes inside WordPress, are both included as features. WordPress was first developed as a platform for publishing blogs, but it has since expanded its functionality to support other types of web content, such as mailing lists and forums that are more traditional in nature, media galleries, membership sites, learning management systems (LMS), and online stores. WordPress, one of the most widely used content management systems in the world, is utilized by 42.8 percent of the top 10 million websites, according to statistics from October 2021.

What Happened?

The researchers from Sucuri have uncovered a massive campaign that is responsible for injecting malicious JavaScript code into compromised WordPress websites. This code takes visitors and redirects them to scam pages and other malicious websites in order to generate traffic that is not legitimate.

The Hacker News explained that this was accomplished by infecting files such as jquery.min.js and jquery-migrate.min.js with obfuscated JavaScript that is active on every page view. This gave the attacker the ability to redirect the website users to a location of their choosing.

 We’ve been tracking a long-lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year — for example, according to PublicWWW, the April wave for this campaign was responsible for nearly 6,000 infected websites alone.

Since these PublicWWW results only show detections for simple script injections, we can assume that the scope is significantly larger.

We recently investigated a number of WordPress websites complaining about unwanted redirects. Interestingly enough, they were found to be related to a new wave of this massive campaign and were sending website visitors through a series of website redirects to serve them unwanted ads.

The websites all shared a common issue — malicious JavaScript had been injected within their website’s files and the database, including legitimate core WordPress files such as:

  • ./wp-includes/js/jquery/jquery.min.js
  • ./wp-includes/js/jquery/jquery-migrate.min.js

Once the website had been compromised, attackers had attempted to automatically infect any .js files with jQuery in the names. They injected code that begins with “/* trackmyposs*/eval(String.fromCharCode…”

Source

The security researchers said that the domains that are at the end of the chain of redirection might be used to load ads, phishing sites, malware, or even trigger another series of redirects.

Occasionally, unsuspecting users are redirected to a rogue redirect landing page that contains a bogus CAPTCHA check, and upon clicking the fake CAPTCHA check, they are served unwanted advertisements that are disguised to appear as if they are coming from the operating system rather than a web browser.

It is suspected that 322 websites have been compromised as a result of the effort, and it seems that the attackers are targeting multiple vulnerabilities in WordPress plugins and themes to compromise the website and inject their malicious scripts.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE