Cybersecurity researchers from Malwarebytes have discovered a number of WordPress (opens in new tab) websites that were compromised and infected with a malicious plugin that quietly generates ad traffic.
In a blog post (opens in new tab) detailing their findings, it was said that a “few dozen” WordPress websites were breached, and whoever was behind the attack installed a backdoor called “fuser-master”.
Fuser-master is quite the piece of work. It first generates a specific URL, and if a user clicks it, they will be redirected to the legitimate blog, but with a popunder page. That popunder, purchased from a different page, will serve various ads.
Mimicking human behavior
The WordPress plugin will then mimic human behavior, scrolling through the page a bit, before clicking on an ad. If the user scrolls around, moves the mouse, or clicks anything, the plugin will stop its activity, further hiding its presence.
The popunder page was also said to be refreshing itself from time to time, loading additional ads in the process. What’s more, if the visitor closes the browser and sees the popunder, any movement activity will stop.
In total, Malwarebytes found 50 blogs compromised with fuser-master. One of the sites had some 4 million visits in January alone, the researchers further said, adding that the average visit duration in this period was almost 25 minutes.
Fuser-master’s authors went the distance trying to hide their identities. Not only is the plugin trying hard to hide, but it was impossible to find any references for the plugin, the author name, or a download site, anywhere. The only thing Malwarebytes’ researchers managed to find is one mention of a WordPress theme detector on themesinfo.com.
At first sight, most of the blogs there look legitimate. However, when a user enters the specific URL and other parameters, the site is turned into an ad fraud hub.