#hacking | URL redirect malware infects thousands of WordPress sites

Outdated plugins become manna for online scammers

Attackers have taken control of more than 2,000 WordPress websites via unpatched and end-of-life plugins in order to redirect unsuspecting visitors to survey-for-gifts scam websites, new research has revealed.

Vulnerable plugins for the popular content management system include CP Contact Form with PayPal, a plugin with 3,000 plus active installations, and the now-discontinued Simple Fields.

The researcher who discovered the attacks found that malicious JavaScript had been injected within the WordPress theme file on compromised sites, triggering a chain of redirects to malicious domains.

In a blog post explaining his findings, Luke Leal of Sucuri said changes to and defined in the table are “likely one of the first red flags of malicious behavior”.

The subsequent delivery of a second malicious JavaScript payload gave attackers a bridgehead for injecting additional malware, like PHP backdoors and hacktools, into other theme files to maintain persistent access to the infected website.

If the function verifies that a site visitor has a cookie and requests the payload from within a URL, said the researcher, then the JavaScript function is used to redirect the visitor to the malicious redirect URL stored in the variable.

Malicious redirect URLs were apparently hidden within UTF-16 code units, rather than ASCII characters, by the variable and function. Harnessing the format attackers added comments as an evasion technique to further conceal the obfuscation.

Read more of the latest WordPress security news

Attackers also uploaded ZIP files of fake plugin directories containing further malware via the file and unzipped them into .

Leal said the two most common fake plugin directories to look out for were and .

The researcher has urged owners of WordPress sites to disable the modification of primary folders and referred them to Sucuri’s best-practice guidelines for WordPress security.

Leal believes the attack campaign, which appears to have peaked during the third week in January, still has momentum.

“We expect the attackers will continue to register new domains – or leverage existing unused domains – as more security vendors blacklist domains being used in this infection,” he said.

The Daily Swig has invited Securi to comment further on the findings.

RELATED Jenkins flags vulnerable plugins in latest security advisory

Source link

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App







National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.