Massive hacking campaign compromised thousands of WordPress websites

Pierluigi Paganini May 12, 2022

Researchers uncovered a massive hacking campaign that compromised thousands of WordPress websites to redirect visitors to scam sites.

Cybersecurity researchers from Sucuri uncovered a massive campaign that compromised thousands of WordPress websites by injecting malicious JavaScript code that redirects visitors to scam content.

The infections automatically redirect site visitors to third-party websites containing malicious content (i.e. phishing pages, malware downloads), scam pages, or commercial websites to generate illegitimate traffic.

“The websites all shared a common issue — malicious JavaScript had been injected within their website’s files and the database, including legitimate core WordPress files, such as:

  • ./wp-includes/js/jquery/jquery.min.js
  • ./wp-includes/js/jquery/jquery-migrate.min.js

“Once the website had been compromised, attackers had attempted to automatically infect any .js files with jQuery in the names. They injected code that begins with “/* trackmyposs*/eval(String.fromCharCode…” reads the analysis published by Sucuri.

WordPress deobfuscated-malicious-javascript

In some attacks, users were redirected to a landing page containing a CAPTCHA check. Upon clicking on the fake CAPTCHA, they’ll be opted in to receive unwanted ads even when the site isn’t open.

The ads will look like they are generated from the operating system and not from a browser.

According to Sucuri, at least 322 websites were compromised as a result of this new wave of attacks and were observed redirecting visitors to the malicious website drakefollow[.]com.

“Our team has seen an influx in complaints for this specific wave of the massive campaign targeting WordPress sites beginning May 9th, 2022, which has impacted hundreds of websites already at the time of writing.” concludes the report. “It has been found that attackers are targeting multiple vulnerabilities in WordPress plugins and themes to compromise the website and inject their malicious scripts. We expect the hackers will continue registering new domains for this ongoing campaign as soon as existing ones become blacklisted.”

Website admins could check if their websites have been compromised by using Sucuri’s free remote website scanner.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress websites)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment