Hacked WordPress Sites Use Visitor Browsers for Brute-Force Attacks

By Ava McKinneyOnline Safety

Hacked WordPress Sites Exploit Visitor Browsers to Compromise Other Resources

Security company Sucuri has issued a warning about a large-scale campaign targeting WordPress sites. Hackers are breaching these sites and injecting scripts that force visitors’ browsers to brute-force passwords on other websites.

According to researchers, the hackers behind this campaign typically compromise sites to inject scripts designed to steal cryptocurrency wallets. When users visit these infected sites, the scripts display fraudulent messages, attempting to trick victims into connecting their wallets. If a user falls for the scam, the scripts steal all assets from their wallet.

Previously, hackers used compromised WordPress sites to deploy the AngelDrainer malware. These attacks came in several waves from different URLs, the most recent being dynamiclink[.]lol/cachingjs/turboturbo.js.

However, at the end of February, attackers switched tactics. Now, they use visitor browsers to brute-force other WordPress sites by injecting a malicious script from the newly registered domain dynamic-linx[.]com/chx.js.

How the Attack Works

  • Hackers compromise a WordPress site and inject malicious code into its HTML templates.
  • When visitors access the site, their browsers load scripts from https://dynamic-linx[.]com/chx.js.
  • These scripts secretly connect the victim’s browser to the hackers’ server (https://dynamic-linx[.]com/getTask.php) to receive brute-force tasks.
  • The task is delivered as a JSON file containing parameters for the attack: an ID, the target site’s URL, account name, a number indicating the current batch of passwords, and a list of 100 passwords to try.
  • Once the task is received, the script forces the visitor’s browser to attempt to upload a file via the WordPress XMLRPC interface, using the provided account name and password from the JSON file.
  • If the password is correct, the script notifies the operators that the password for the site has been found. The hackers can then connect to the site and retrieve the uploaded file, which contains the username and password encoded in base64.
  • As long as the malicious page remains open, the script continues to make the victim’s browser connect to the hackers’ server and receive new brute-force tasks.

According to PublicHTML, over 1,700 sites are currently infected with these scripts, meaning many users could unknowingly become part of this brute-force campaign. For example, even the website of the Association of Private Banks of Ecuador has been compromised.

Why the Change in Tactics?

Sucuri experts note that it’s unclear why hackers suddenly shifted from cryptocurrency theft to brute-force attacks. Researchers believe the attackers may be trying to expand their portfolio of compromised sites, which could later be used for larger-scale attacks targeting cryptocurrency theft once again.

“Most likely, they realized that with their infection scale (about 1,000 hacked sites), stealing cryptocurrency isn’t very profitable,” summarizes Sucuri specialist Denis Sinegubko. “Additionally, they attract too much attention, and their domains get blocked quickly. So, it makes sense to switch to a more covert payload and increase their portfolio of hacked sites for future attack waves that can be monetized in some way.”

Leave a Reply