Hackers Attack Over 2000 WordPress Websites in a Malicious Campaign


According to a cybersecurity firm Sucuri, hackers have hacked over 2000 WordPress websites using a weakness in some installed plugins. As claimed by the Sucuri researchers, the whole idea was to redirect visitors of the affected WordPress websites to a scam website that contains giveaways, unwanted browser subscription notification, fake survey, and fake adobe flash downloads.

This establishes the length hackers can go to take advantage of the vulnerabilities of a website for their goals. This attack is new and it is expected that website owners take the necessary step to avoid being hacked.
Researchers at Sucuri revealed that this new campaign starts by hackers injecting JavaScript into websites using the vulnerabilities in the Simple field plugins and the CP contact form of PayPal plugin.

The role of the injected JavaScript is to access the administrative URLs – /wp-admin/options-general.php and /wp-admin/theme-editor.php anytime a visitor attempt to visit the affected site. The JavaScript then do more damage by changing the needed settings to redirect visitors to the spammy site.

WordPress Websites

Image Source: www.wpbluffs.com

The injected JavaScript also load scripts from admarketlocation(.)com and gotosecond2(.)com as claimed by the report. Most of this operation of JavaScript occurs in the background whiles visitors make attempts to visit these WordPress websites.

To clearly understand how this campaign works, researchers from Bleepingcomputer carefully followed the direction as planned by the attackers. They were asked to subscribe to a browser notification before they could be able to proceed. This was after one of the affected websites redirected them to the spammy website set up by the hackers. After subscribing, they were led to another website full of tech support scams, fake surveys, and fake adobe flash player updates. From the analysis, it could be found that the campaign is a well-planned one and very serious than it seems.

The JavaScript payload injected proceed to do more damages by engaging in a dangerous modification of the existing WordPress theme file. This is done through the /wp-admin/theme-editor.phpfile. From this point, they are able to inject more malware.

The Sucuri researchers pointed out that hackers can inject malware like PHP backdoor or Hacktool to give them access to the affected WordPress websites regularly. The hackers change the home and the “siteurl” of the attacked sites to redirect the visitors to their created websites. This is a very common behavior of their campaign. In this note, It is important to be careful when you are redirected to another website when trying to access a site.

WordPress Websites

Image Source: www.bleepingcomputer.com

They have another technique. They create a variable and name it ijmjg and then hide the “malicious redirect URL” using the function String.fromCharCode(). It is done in UTF-16 code units format instead of ASCII characters according to the Sucuri researchers. They then add comments which do not really make sense to conceal the obfuscation in a bid to make it difficult for anyone who tries to search for the text string. They make use of a condition that uses Checkone() to check if the visitor trying to load the payload has a “_logged_in” cookie. It also verifies if the visitor is requesting the payload from the /wp-admin. If the visitors meet all these conditions, they are redirected to the malicious website found in the ijmjg variable by the JavaScript function location.replace.

According to the Sucuri researchers, many WordPress websites have been infected with this malicious JavaScript in the third week of January. It was found that most of the domain names are very recent establishing that this campaign was recently started. The domain with the oldest registration date is the gotoseconds2(.)com which is 14 December 2019. Another domain called adsmarket(.)com was registered on 17 January 2020. It was stated that the attackers are expected to create more websites using new domain names or existing but unused domains to run their campaigns as more websites are expected to be affected.

WordPress websites can be scanned for any malicious JavaScript redirecting visitors to unwanted websites. You can mostly do this by checking for any recent modification of the WordPress website file. Affected WordPress websites can clean the hacked WordPress site. When the infection is located in the plugins or core files, malware can be removed manually. The custom files can be replaced with fresh files or recent backup.

The Sucuri researchers also advise that the malware can be removed by cleaning the hacked database table. You can use your database admin panel to connect to the database. Remove any hidden backdoor and secure user account. It is important to have one admin user and set other user roles with limited privileges.

Source: Bleeping Computer

Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation to the reliance on or usage of any content, goods or services mentioned in this article.

Tags: #Deep_Web_directories #Hidden_Wiki_Links #Deep_Web_Links_and_Web_Sites #Dark_Web_Links #Best_Dark_web_Websites


Please enter your comment!
Please enter your name here