Over 2,000 Wordpress websites have been hacked to support a campaign that redirects visitors to scam sites containing unwanted browser notification subscriptions, fake surveys, giveaways, and fake Adobe Flash downloads.
This hacking campaign was discovered by website security firm Sucuri, which identified attackers exploiting vulnerabilities in Wordpress plugins in the third week of January 2020.
Sucuri researcher Luke Leal told BleepingComputer that some of the vulnerable plugins that were exploited include the "CP Contact Form with PayPal" and the "Simple Fields" plugins, but we're told other plugins are likely targeted as well.
If exploited, the vulnerabilities allow attackers to inject JavaScript that loads scripts directly into the theme of the admarketlocation[.]com and gotosecond2[.]com website, as shown below.
When a visitor visits the hacked website, the injected script attempts to access the administrative URLs /wp-admin/options-general.php and /wp-admin/theme-editor.php in the background to inject more scripts or change Wordpress settings that will also redirect the visitor.
However, these URLs require administrative access, so they will only work successfully if an administrator visits the site. Everyone else will instead be redirected through a series of websites that will ultimately take them to various scam sites.
In our tests against one of these hacked sites, we were frequently redirected to scam pages that told users they needed to opt in to browser notifications to proceed.
Once a user clicks on the Allow button to subscribe to the notifications, they are redirected to other scam sites such as fake surveys, tech support scams, and fake Adobe Flash Player updates.
In addition to injecting the JavaScript, Sucuri also found that the attackers created fake plugin directories that are used to upload additional malware to the compromised websites.
"Another interesting finding is the creation of fake plugin directories containing further malware, which can also be generated by the attacker's abuse of /wp-admin/ functions, namely uploading zip compressed files using the /wp-admin/includes/plugin-install.php file to perform uploading and unzipping of the compressed fake plugin in /wp-content/plugins/," Sucuri explained in her report.
The most commonly seen folders are wp-content/plugins/supersociall/supersociall.php and /wp-content/plugins/blockspluginn/blockspluginn.php.
Do you run a website with Wordpress CMS and are you concerned that you have been compromised? Contact us, we will be happy to check your website and create a report on any malicious content detected and support you in implementing the recommended measures. Is your website business-critical for you? Then we recommend our penetration tests.
Contact us: 031 529 29 00 or send an email directly to: roberto@bortoli.ch