Thousands of WordPress sites backdoored with malicious code
Malicious code redirects users to tech support scams, some of which use new “evil cursor” Chrome bug.
All compromises seem to follow a similar pattern –to load malicious code from a known threat actor– although the entry vector for all these incidents appears to be different.
Researchers believe intruders are gaining access to these sites not by exploiting flaws in the WordPress CMS itself, but vulnerabilities in outdated themes and plugins.
When they gain access to a site, they plant a backdoor for future access and make modifications to the site’s code.
Malwarebytes security researcher Jérôme Segura said this malicious code filters users visiting the compromised sites and redirects some to tech support scams.
He says some of the traffic patterns seen during the redirection process match the patterns of a well-known traffic distribution system used by several malware distribution campaigns.
Segura also said that some of tech support scams that users are landing on are using the “evil cursor” Chrome bug to prevent users from closing the malicious site’s tab, a trick that the researcher first spotted last week.
This WordPress site hijacking campaign appears to have started this month, according to Sucuri, and has intensified in recent days, according to Segura.
Last week, ZDNet revealed that attackers had been scanning the Internet in an attempt to exploit a recent vulnerability in a popular WordPress plugin.
While Sucuri did not find confirm that this vulnerability was now being used in this recent wave of site hacks, the company did confirm our initial report, based on WordFence’s telemetry.