Thousands of WordPress (opens in new tab) websites were infected with an unknown malware variant, cybersecurity researchers from Sucuri have found.
The malware would redirect the visitors to a different website, where ads hosted on the Google Ads platform would load, bringing in profits for the website’s owners.
The Sucuri team found an unknown threat actor managed to compromise almost 11,000 WordPress-powered websites.
WordPress is the world’s most popular web hosting platform, and is generally perceived as secure. However, it also offers countless WordPress plugins, some of which carry high-severity vulnerabilities.
While the researchers could not pinpoint the exact vulnerability used to deliver this malware, they’re speculating that the threat actors automated the process and probably leveraged whatever known, unpatched flaws they could find.
The malware’s modus operandi is simple – when people visit the infected websites, they would get redirected to a different Q&A website which loaded ads located on Google Ads. That way, Google would essentially get tricked into paying the ad campaign owners for the views, unaware that the views are actually fraudulent.
Sucuri has been tracking similar campaigns for months now. In late November last year, the researchers spotted a similar campaign that infected roughly 15,000 WordPress sites. The difference between these two campaigns is that in last year’s one – the attackers didn’t bother hiding the malware. In fact, they did the exact opposite, installing more than 100 malicious files per website,
In the new campaign, however, the attackers went to great lengths to try and hide the existence of the malware, the researchers said. They also made the malware somewhat more resilient to counter-measures, remaining persistent on the sites for longer periods of time.
To protect against such attacks, the researchers said, it’s best to keep the website and all of the plugins up to date, and keep the wp-admin panel secure with a strong password and multi-factor authentication. Those that have already been infected can follow Sucuri’s how-to guide, should change all access point passwords, and place the website behind a firewall.