More than
2,000 WordPress sites have been infected with malicious JavaScript that
redirects visitors to scam websites and sets the stage for additional malware
to be downloaded at a later time.

The Sucuri team said access is gained to WordPress sites through plugin vulnerabilities, including Simple Fields and CP Contact Form with PayPal. A large uptick in this activity was picked up during the third week of January.

Once inside
a WordPress site the JS redirects visitors at first to four malicious sites, gotosecond2[.]com,
adsformarket[.]com, admarketlocation[.]com, and admarketresearch[.]xyz. Next
the URL statistic[.]admarketlocation[.]com/clockwork?&se_referrer= or
track[.]admarketresearch[.]xyz/?track&se_referrer= is loaded onto the
compromised site which delivers the final malicious JS payload.

This last delivery
is quite problematical as it allows the attacker to make additional changes to
the site or bring in more malware such as PHP backdoors and hacktools, to help
them maintain persistence.

“We
encourage website owners to disable the modification of primary folders block
hackers from inserting malicious files or includes as part of WordPress
security hardening and security best practices,” Sucuri suggested.