Skip to main content

Thousands of WordPress sites hacked in scam campaign

(Image credit: Pixabay)

New research has revealed that over 2,000 WordPress sites have hacked as part of a campaign to redirect visitors to a number of scam sites which contain unwanted notification subscriptions, fake surveys, giveaways and even fake Adobe Flash downloads.

The security firm Sucuri first discovered the hacking campaign when its researchers detected attackers exploiting vulnerabilities in WordPress plugins. According to the firm's Luke Leal, CP Contact Form with PayPal and the Simple Fields plugins are being exploited but other plugins have likely also been targeted.

When an attacker exploits one of these vulnerabilities, it allows them to inject JavaScript that loads scripts from the sites admarketlocation and gotosecond2 directly into a site's theme. 

Once a visitor accesses a hacked site, the injected script will try to access two administrative URLs (/wp-admin/options-general.php and /wp-admin/theme-editor.php) in the background in order to inject additional scripts or to change WrodPress settings that will also redirect visitors. However, these URLs require administrative access so they will only work if an administrator is accessing the site.

Scam pages

The attackers have written their scripts so that visitors without administrative privileges will be redirected through a series of sites that will eventually lead them to various scam pages. These pages then tell users that they must subscribe to browser notifications in order to proceed.

Clicking on the allow button to enable notifications then redirects visitors to other scam sites pushing fake surveys, tech support scams and fake Adobe Flash Player updates.

Sucuri also discovered that the attackers had created fake plugin directories which are used to upload additional malware to the compromised sites. Leal provided further details on how the attackers created fake plugin directories in a blog post, saying:

“Another interesting find is the creation of fake plugin directories that contain further malware and can also be generated through the attacker’s abuse of /wp-admin/ features, namely uploading zip compressed files using the /wp-admin/includes/plugin-install.php file to perform the upload and unzipping of the compressed fake plugin into /wp-content/plugins/."

To see if your WordPress site has been hacked, Sucuri recommends using its free SiteCheck tool to scan for malicious content.

Via BleepingComputer