Outdated plugins become manna for online scammers
Attackers have taken control of more than 2,000 WordPress websites via unpatched and end-of-life plugins in order to redirect unsuspecting visitors to survey-for-gifts scam websites, new research has revealed.
Vulnerable plugins for the popular content management system include CP Contact Form with PayPal, a plugin with 3,000 plus active installations, and the now-discontinued Simple Fields.
In a blog post explaining his findings, Luke Leal of Sucuri said changes to and defined in the table are “likely one of the first red flags of malicious behavior”.
Malicious redirect URLs were apparently hidden within UTF-16 code units, rather than ASCII characters, by the variable and function. Harnessing the format attackers added comments as an evasion technique to further conceal the obfuscation.
Read more of the latest WordPress security news
Attackers also uploaded ZIP files of fake plugin directories containing further malware via the file and unzipped them into .
Leal said the two most common fake plugin directories to look out for were and .
The researcher has urged owners of WordPress sites to disable the modification of primary folders and referred them to Sucuri’s best-practice guidelines for WordPress security.
Leal believes the attack campaign, which appears to have peaked during the third week in January, still has momentum.
“We expect the attackers will continue to register new domains – or leverage existing unused domains – as more security vendors blacklist domains being used in this infection,” he said.
The Daily Swig has invited Securi to comment further on the findings.
RELATED Jenkins flags vulnerable plugins in latest security advisory