WordPress websites are being hacked to hijack your browser — and then attack other sites

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
(Image credit: Shutterstock/monticello)

Cybercriminals are using compromised WordPress websites to form a huge army for credential stuffing attacks, experts have warned.

A report from cybersecurity researchers Sucuri spotted the campaign, and believe they know what its goal is - namely looking for vulnerable sites from the website builder, where they can install a small script in the HTML templates. That script forces the website visitor’s computer to visit a different WordPress website (in the background, unbeknownst to the victim) and try to log in using different username and password combinations.

Once the victim cracks the login code, they would, still unaware, relay that information back to the attackers, and receive further instructions (another website to crack).

Building a base

Citing information from the HTML source code search engine, PublicHTML, BleepingComputer reported that there are currently more than 1,700 websites hosting this script, “providing a massive pool of users who will be unwittingly conscripted into this distributed bruteforce army.” Among the victims, the publication further reports, is the website of Ecuador’s Association of Private Banks.

Sucuri says it’s been tracking this threat actor in the past. Until now, the group used the same technique for a different purpose - to install the AngelDrainer malware. AngelDrainer is a piece of code that, as the name suggests, “drains” all of the funds a victim may have in their cryptocurrency wallets. To do that, the victim needs to connect their wallet (such as the MetaMask wallet, for example) to a crypto service. The group even built their own fake Web3 websites to get people to connect their wallets. 

The researchers aren’t certain why the group decided to pivot into credential stuffing. One explanation is that they’re building a bigger base of compromised sites that can then be used to launch more destructive attacks - such as wallet draining campaigns. 

"Most likely, they realized that at their scale of infection (~1000 compromised sites) the crypto drainers are not very profitable yet," Sucuri concluded. 

"Moreover, they draw too much attention and their domains get blocked pretty quickly. So, it appears reasonable to switch the payload with something stealthier, that at the same time can help increase their portfolio of compromised sites for future waves of infections that they will be able to monetize in one way or another."

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.