All compromises seem to follow a similar pattern –to load malicious code from a known threat actor– although the entry vector for all these incidents appears to be different.
Researchers believe intruders are gaining access to these sites not by exploiting flaws in the WordPress CMS itself, but vulnerabilities in outdated themes and plugins.
When they gain access to a site, they plant a backdoor for future access and make modifications to the site’s code.
Malwarebytes security researcher Jérôme Segura said this malicious code filters users visiting the compromised sites and redirects some to tech support scams.
He says some of the traffic patterns seen during the redirection process match the patterns of a well-known traffic hijacker –known as EITest.
Security researchers from several organizations intervened in April to take down this network, but Segura’s finding reveals that some parts of the network have either survived, or its creators have started rebuilding their kingdom of badness.
Segura also said that some of tech support scams that users are landing on are using the “evil cursor” Chrome bug to prevent users from closing the malicious site’s tab, a trick that the researcher first spotted last week.
This WordPress site hijacking campaign appears to have started this month, according to Sucuri, and has intensified in recent days, according to Segura.
Last week, ZDNet revealed that attackers had been scanning the Internet in an attempt to exploit a recent vulnerability in a popular WordPress plugin.
While Sucuri did not find confirm that this vulnerability was now being used in this recent wave of site hacks, the company did confirm our initial report, based on WordFence’s telemetry.
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout. If you’re looking to guest blog, please send an email here.