This article is more than 1 year old

Couldn't give a fsck about patching? Well, that's your WordPress website pwned, then

Fiends use vulns to lure victims into tech support scams

Website admins are urged to update their WordPress installations as soon as possible to the latest version following a rash of attacks exploiting known vulnerabilities in the web publishing software.

Researchers at Malwarebytes say miscreants don't appear to be targeting any one specific bug, but rather a full array of flaws in older versions of WordPress and its various plugins.

"During the past few days, our crawlers have been catching a larger-than-usual number of WordPress sites being hijacked," noted MalwareBytes researcher Jérôme Segura on Thursday.

"One of the most visible client-side payloads we see are redirections to tech support scam pages. Digging deeper, we found that this is part of a series of attacks that have compromised thousands of WordPress sites since early September."

According to Segura and researchers with Sucuri, the hackers have been exploiting flaws that allow them to inject malicious JavaScript code into pages, usually either inside an HTML header on a page or within the wp_posts table in the WordPress database.

From there, the nasty code loads when the WordPress site is accessed and redirects users to scam pages – most notably fake tech support sites and hard-to-remove "evil cursor" scareware screens.


So phar, so FUD: PHP flaw puts WordPress sites at risk of hacks


Admins are being advised to check their pages for signs of the injected JavaScript and, if possible, figure out where the attack came from.

"Website owners affected by these attacks will have to perform a thorough cleanup of injected pages, databases, and backdoors," Segura explained.

"More importantly, they will need to identify the root cause of the compromise, which often times is an outdated WordPress installation or plugin."

WordPress is no stranger to large-scale attacks on its platform. The widely-used CMS is an attractive target for cybercriminals as its vulnerabilities most often provide an attacker with a way to covertly compromise sites and inject code for further attacks.

Earlier this year, fellow CMS vendor Drupal took its turn in the shooting barrel as attackers seized on a bug known as 'Drupalgeddon' to inject things like cryptocoin mining scripts into pages. ®


Similar topics

Similar topics

Similar topics


Send us news

Other stories you might like