Over two thousand WordPress sites were compromised using a malicious script that redirects visitors to scam websites. Sucuri reported that the attackers gained access to the affected sites by exploiting plugins such as the vulnerable versions of the “CP Contact Form with PayPal” and the “Simple Fields” plugins. They also observed significantly increases activity in the third week of January.
Besides leading visitors to scam websites, the malicious script can also gain unauthorized admin access to affected WordPress sites, allowing attackers to inject malware and apply modifications.
The malicious script uses fake notification requests, fake surveys, fake technical support, and fake software updates to redirect visitors to scam websites. It then loads another URL, which serves as the final malicious script payload.
It will then attempt to access /wp-admin/ features in the background. If the visitor is an admin of the website, the attempt will be successful. The attackers gain access to admin features and can perform the following:
Attackers used obfuscation tactics to disguise the malicious codes. In one example, the attackers hid malicious redirect URLs by using the UTF-16 code format instead of ASCII characters. Multiple code comments with incomprehensible text were also included to further hide the unauthorized modifications in a sea of text.
The researchers expect the attackers to continue registering new domains and take advantage of existing unused domains to create other scam websites.
The breach of a website’s security interrupts business operations and exposes users to threats. System admins can prevent malware infiltration and strengthen security by applying the latest software patches and platform updates. It also pays to be vigilant in monitoring websites for malicious activity such as unauthorized access, URL redirection, and the addition of unknown plugins.
Trend Micro recommends the following solutions to secure users and businesses from compromise. Powered by XGen™ security, these solutions block malicious scripts and prevent access to unsafe domains:
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.