Over two thousand WordPress sites were compromised using a malicious script that redirects visitors to scam websites. Sucuri reported that the attackers gained access to the affected sites by exploiting plugins such as the vulnerable versions of the “CP Contact Form with PayPal” and the “Simple Fields” plugins. They also observed significantly increases activity in the third week of January.
Besides leading visitors to scam websites, the malicious script can also gain unauthorized admin access to affected WordPress sites, allowing attackers to inject malware and apply modifications.
Access to admin features
The malicious script uses fake notification requests, fake surveys, fake technical support, and fake software updates to redirect visitors to scam websites. It then loads another URL, which serves as the final malicious script payload.
It will then attempt to access /wp-admin/ features in the background. If the visitor is an admin of the website, the attempt will be successful. The attackers gain access to admin features and can perform the following:
Set up additional malicious redirects – The attackers can access /wp-admin/options-general.php to add more redirects to other scam websites.
Add malware – The attackers can create fake plugin directories that contain more malware. This is done by uploading compressed files using the /wp-admin/includes/plugin-install.php file. This will upload and unzip the file and place the uncompressed fake plugin into /wp-content/plugins/.
Maintain access for future malware injection - The attackers can access the /wp-admin/theme-editor.php file that allows them to load additional malware such as PHP backdoors and hacking tools, maintaining access for future site modifications and letting them inject more malware to the already infected site.
Attackers used obfuscation tactics to disguise the malicious codes. In one example, the attackers hid malicious redirect URLs by using the UTF-16 code format instead of ASCII characters. Multiple code comments with incomprehensible text were also included to further hide the unauthorized modifications in a sea of text.
The researchers expect the attackers to continue registering new domains and take advantage of existing unused domains to create other scam websites.
Recommendations and Trend Micro Solutions
The breach of a website’s security interrupts business operations and exposes users to threats. System admins can prevent malware infiltration and strengthen security by applying the latest software patches and platform updates. It also pays to be vigilant in monitoring websites for malicious activity such as unauthorized access, URL redirection, and the addition of unknown plugins.
Trend Micro recommends the following solutions to secure users and businesses from compromise. Powered by XGen™ security, these solutions block malicious scripts and prevent access to unsafe domains: