Massive Wave Of Compromised WordPress Sites – STILL ONGOING [News]

Recent investigation has revealed that more than 2,000 WordPress sites have been hacked as part of a campaign to redirect visitors to various fraudulent sites containing spam notification subscriptions, fake surveys, giveaways, and even fake Adobe Flash downloads.

A security company discovered the hacking campaign when its researchers detected attackers exploiting vulnerabilities in WordPress plugins. This massive campaign is responsible for injecting malicious JavaScript code into compromised WordPress websites. The malicious script redirects visitors to scam pages and other malicious websites to generate illegitimate traffic.

According to the company’s Luke Leal, the PayPal CP Contact Form and Simple Fields plugins are exploited, but other plugins were probably targeted.

Kepp yourself updated with the latest wordpress security news here.

What It is?

When an attacker exploits one of these vulnerabilities, it allows them to inject JavaScript that loads a market location script and has getosecond2 sites directly into a site’s theme.

Once a visitor accesses a hacked site, the injected script will attempt to access two administrative URLs (/wp-admin/options-general.php and /wp-admin/theme-editor.php) in the background to inject scripts. additional commands or modify WordPress settings that will also redirect visitors. However, these URLs require administrator access, so they will only work if an administrator accesses the site.

This involved infecting files such as jquery.min.js and jquery-migrate.min.js with obfuscated JavaScript enabled on every page load, allowing the attacker to redirect website visitors to the destination of their choice.

The GoDaddy-owned website security company said the domains at the end of the redirect chain could be used to load ads, phishing pages, malware, or even trigger another set of redirects.

wordpress malware

In some cases, unsuspecting users are taken to a rogue redirect landing page that contains a fake CAPTCHA verification, clicking on it displays unwanted advertisements that are disguised to appear to come from the operating system and not from a web browser.

Attackers have been found to be targeting multiple vulnerabilities in WordPress plugins and themes to compromise the website and inject their malicious scripts:

./wp-includes/js/jquery/jquery.min.js

./wp-includes/js/jquery/jquery-migrate.min.js“

“Once the website had been compromised, attackers had attempted to infect any .js files with jQuery in the names automatically. They injected code that begins with “/* trackmyposs*/eval(String.fromCharCode…

The campaign, a follow-up to another wave that was spotted last month, is believed to have impacted 322 websites so far, as of May 9. The April series of attacks, on the other hand, has breached more than 6,500 websites.

WordPress Hacked Redirect

Hackers target WordPress sites on a regular basis. There are certain commonly hacked WordPress files that are often targeted by attackers, but in the case of a hacked WordPress redirect, the scenario is somewhat different.

Here, the attackers inject malicious code into your site. Often the administrator is unaware of this attack and only finds out about it after users complain. These are the typical behaviors of a “ WordPress redirect hack”.

Site visitors are usually redirected to spam websites or sites related to scams or porn. Hackers do this for their own purposes, like increasing traffic on their website or breaking into users’ private space! The latter seems to be more dangerous.

Fortunately, certain preventive measures can be taken to prevent this in the future, such as secure coding practices to prevent these attacks.

Symptoms

The heuristic test would be visiting your site from multiple devices. Once you are redirected by the site or some page, it is most likely a malware redirect. From here, a file inspection should be performed to determine the root cause.

Third-Party Ads

WordPress malware redirects can also happen when the site is completely safe. There are situations where site administrators provide provisions for third-party advertisements for the purpose of generating revenue.

Some of these networks do not have a strict policy for ad content. As a result, those ads may contain code that redirects users as soon as they visit the site.

malicious script to redirect vistitors

This particular script is usually executed on the server from the domain that is considered to be malicious. Users are redirected using the code:

window.location.href = “hxxp://go .ad2up[.]com/afu.php? id = 473791. 

This code then displays spam ads to users. Therefore, it becomes important to detect which specific script initiates the WordPress redirection to spam site!

Also Read: How To Setup WordPress Two-Factor Authentication (2FA)

Malicious Chain of Redirects

The malicious injection creates a new script element with the legendarytable[.]com domain as the source. The code from the legendarytable[.]com domain then calls to a second external domain — local[.]drakefollow[.]com — which calls from links[.]drakefollow[.]com, redirecting the site visitor to one of many different domains including:

bluestringline[.]com

browntouchmysky[.]com

redstringline[.]com

whitetouchmysky[.]com

gregoryfavorite[.]space

gregoryfavorite[.]top

pushnow[.]net/

It’s basically a free-for-all at this point. Domains at the end of the redirect chain may be used to load advertisements, phishing pages, malware, or even more redirects.

Malicious Chain of Redirects Malicious Chain of Redirects

In some attacks, users were redirected to a landing page containing a CAPTCHA check. Upon clicking on the fake CAPTCHA, they’ll be opted in to receive unwanted ads even when the site isn’t open.

The ads will look like they are generated from the operating system and not from a browser.

According to security experts, at least 322 websites were compromised as a result of this new wave of attacks and were observed redirecting visitors to the malicious website drakefollow[.]com.

Some websites were recently compromised, redirecting visitors to a fake CAPTCHA landing page. The fake CAPTCHA would appear to be generated by the operating system, but clicking it will result in unwanted ads being displayed on your screen even when the site isn’t open.

As a result of this new wave of attacks, in May 2022 at least 322 websites were compromised and observed redirecting visitors to the malicious website drakefollow[.]com.

Conclusion

The recent Redirect hack, which happened in April-MAY, has managed to hack more than 6500 sites in WordPress, for which the subject is quite worrying. Know more about such kind of attacks in these articles –

Our WPHacked Help team has seen a very large number of complaints about this specific wave of the massive campaign to redirect visitors to scam sites beginning May 9th, 2022, which has impacted hundreds of websites already at the time of writing this post.

It was reported that malicious actors used vulnerabilities in WordPress plugins and themes to compromise websites and inject malicious scripts into them. It has been found by our team during the cleanup of infected sites that attackers are targeting multiple vulnerabilities in WordPress plugins and themes to compromise the website and inject their malicious scripts. The attacks have been ongoing since May 9th, 2022 and our team is still fixing such cases in bulk before they damage the reputation of our respected clients’ businesses.

24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)