WordPress sites under attack by ad-scam malware

Tools

A massive malware campaign is underway that is being transmitted via WordPress websites, according to Denis Sinegubko, a senior malware researcher at security firm Sucuri.

Affected sites have Trojan code injected into legitimate JavaScript files, which will run on the computers of visitors and generate fraudulent advertising income for the perpetrators.

To avoid detection, the malware uses encrypted code that mutates between websites, all of which attempts to inject an invisible iframe that hits an advertisement server through a domain created just for this purpose. The attacker takes care to only infect first-time visitors by setting a cookie that expires in 24 hours.

What sets this attack apart is the pervasiveness of the malware on the server, which infects all accessible JavaScript files on the hosting server. This means that multiple sites that are hosted from the same server or account – a common practice – could find themselves infected and re-infected.

"This malware uploads multiple backdoors into various locations on the webserver and frequently updates the injected code," explained Sinegubko. "This means that if you host several domains on the same hosting account all of them will be infected via a concept known as cross-site contamination."

"It's not enough to clean just one site or all but one in such situations – an abandoned site will be the source of the reinfection," according to Sinegubko. "In other words, you either need to isolate every sites [sic] or clean/update/protect all of them at the same time!"

For more:
- check out this blog post at Sucuri

Related Articles:
Attacker could take over a website using security hole in popular WordPress SEO plugin
Flaw in popular WordPress caching plugin could affect 1 million sites
Ransom32 is first cross-OS ransomware that uses JavaScript to infect users, says researcher