The Malicious Campaign Allowed the Attacker the Ability to Redirect the Website Users to a Location of Their Choosing.
Last updated on May 13, 2022
WordPress is a content management system (CMS) that is free to use and open-source. It is built in PHP, and it can be combined with either a MySQL or MariaDB database. Plugin architecture and a template system, which are both referred to as Themes inside WordPress, are both included as features. WordPress was first developed as a platform for publishing blogs, but it has since expanded its functionality to support other types of web content, such as mailing lists and forums that are more traditional in nature, media galleries, membership sites, learning management systems (LMS), and online stores. WordPress, one of the most widely used content management systems in the world, is utilized by 42.8 percent of the top 10 million websites, according to statistics from October 2021.
We’ve been tracking a long-lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year — for example, according to PublicWWW, the April wave for this campaign was responsible for nearly 6,000 infected websites alone.
Since these PublicWWW results only show detections for simple script injections, we can assume that the scope is significantly larger.
We recently investigated a number of WordPress websites complaining about unwanted redirects. Interestingly enough, they were found to be related to a new wave of this massive campaign and were sending website visitors through a series of website redirects to serve them unwanted ads.
Once the website had been compromised, attackers had attempted to automatically infect any .js files with jQuery in the names. They injected code that begins with “/* trackmyposs*/eval(String.fromCharCode…”
The security researchers said that the domains that are at the end of the chain of redirection might be used to load ads, phishing sites, malware, or even trigger another series of redirects.
Occasionally, unsuspecting users are redirected to a rogue redirect landing page that contains a bogus CAPTCHA check, and upon clicking the fake CAPTCHA check, they are served unwanted advertisements that are disguised to appear as if they are coming from the operating system rather than a web browser.
It is suspected that 322 websites have been compromised as a result of the effort, and it seems that the attackers are targeting multiple vulnerabilities in WordPress plugins and themes to compromise the website and inject their malicious scripts.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.