Recent investigation has revealed that more than 2,000 WordPress sites have been hacked as part of a campaign to redirect visitors to various fraudulent sites containing spam notification subscriptions, fake surveys, giveaways, and even fake Adobe Flash downloads.
According to the company’s Luke Leal, the PayPal CP Contact Form and Simple Fields plugins are exploited, but other plugins were probably targeted.
Kepp yourself updated with the latest wordpress security news here.
Table of Contents [TOC]
What It is?
Once a visitor accesses a hacked site, the injected script will attempt to access two administrative URLs (/wp-admin/options-general.php and /wp-admin/theme-editor.php) in the background to inject scripts. additional commands or modify WordPress settings that will also redirect visitors. However, these URLs require administrator access, so they will only work if an administrator accesses the site.
The GoDaddy-owned website security company said the domains at the end of the redirect chain could be used to load ads, phishing pages, malware, or even trigger another set of redirects.
In some cases, unsuspecting users are taken to a rogue redirect landing page that contains a fake CAPTCHA verification, clicking on it displays unwanted advertisements that are disguised to appear to come from the operating system and not from a web browser.
Attackers have been found to be targeting multiple vulnerabilities in WordPress plugins and themes to compromise the website and inject their malicious scripts:
“Once the website had been compromised, attackers had attempted to infect any .js files with jQuery in the names automatically. They injected code that begins with “/* trackmyposs*/eval(String.fromCharCode…
The campaign, a follow-up to another wave that was spotted last month, is believed to have impacted 322 websites so far, as of May 9. The April series of attacks, on the other hand, has breached more than 6,500 websites.
Hackers target WordPress sites on a regular basis. There are certain commonly hacked WordPress files that are often targeted by attackers, but in the case of a hacked WordPress redirect, the scenario is somewhat different.
Here, the attackers inject malicious code into your site. Often the administrator is unaware of this attack and only finds out about it after users complain. These are the typical behaviors of a “ WordPress redirect hack”.
Site visitors are usually redirected to spam websites or sites related to scams or porn. Hackers do this for their own purposes, like increasing traffic on their website or breaking into users’ private space! The latter seems to be more dangerous.
Fortunately, certain preventive measures can be taken to prevent this in the future, such as secure coding practices to prevent these attacks.
The heuristic test would be visiting your site from multiple devices. Once you are redirected by the site or some page, it is most likely a malware redirect. From here, a file inspection should be performed to determine the root cause.
WordPress malware redirects can also happen when the site is completely safe. There are situations where site administrators provide provisions for third-party advertisements for the purpose of generating revenue.
Some of these networks do not have a strict policy for ad content. As a result, those ads may contain code that redirects users as soon as they visit the site.
This particular script is usually executed on the server from the domain that is considered to be malicious. Users are redirected using the code:
window.location.href = “hxxp://go .ad2up[.]com/afu.php? id = 473791.
This code then displays spam ads to users. Therefore, it becomes important to detect which specific script initiates the WordPress redirection to spam site!
Malicious Chain of Redirects
The malicious injection creates a new script element with the legendarytable[.]com domain as the source. The code from the legendarytable[.]com domain then calls to a second external domain — local[.]drakefollow[.]com — which calls from links[.]drakefollow[.]com, redirecting the site visitor to one of many different domains including:
It’s basically a free-for-all at this point. Domains at the end of the redirect chain may be used to load advertisements, phishing pages, malware, or even more redirects.
In some attacks, users were redirected to a landing page containing a CAPTCHA check. Upon clicking on the fake CAPTCHA, they’ll be opted in to receive unwanted ads even when the site isn’t open.
The ads will look like they are generated from the operating system and not from a browser.
According to security experts, at least 322 websites were compromised as a result of this new wave of attacks and were observed redirecting visitors to the malicious website drakefollow[.]com.
Some websites were recently compromised, redirecting visitors to a fake CAPTCHA landing page. The fake CAPTCHA would appear to be generated by the operating system, but clicking it will result in unwanted ads being displayed on your screen even when the site isn’t open.
As a result of this new wave of attacks, in May 2022 at least 322 websites were compromised and observed redirecting visitors to the malicious website drakefollow[.]com.
The recent Redirect hack, which happened in April-MAY, has managed to hack more than 6500 sites in WordPress, for which the subject is quite worrying. Know more about such kind of attacks in these articles –
- Websites Redirecting to Digestcolect .com – Elementor Pro Vulnerabilities
- Malware Redirecting Websites To Outlook Pages & Fake Phishing Sites
- EITest Redirection – Website Redirecting to Fake Tech Support Pages
Our WPHacked Help team has seen a very large number of complaints about this specific wave of the massive campaign to redirect visitors to scam sites beginning May 9th, 2022, which has impacted hundreds of websites already at the time of writing this post.
It was reported that malicious actors used vulnerabilities in WordPress plugins and themes to compromise websites and inject malicious scripts into them. It has been found by our team during the cleanup of infected sites that attackers are targeting multiple vulnerabilities in WordPress plugins and themes to compromise the website and inject their malicious scripts. The attacks have been ongoing since May 9th, 2022 and our team is still fixing such cases in bulk before they damage the reputation of our respected clients’ businesses.