WordPress sites susceptible to database injection attacks

February 2, 2023
WordPress CMS Financial Malware Website Protection Database Injection Cyberattacks Vulnerability

A new cybercriminal operation exploits WordPress sites to redirect users to malicious websites such as adult dating, phishing, drive-by-downloads, and tech support scams. The threat actors operating this attack ensured that their malicious payloads could bypass detections through multiple redirects and legitimate downloads.

 

Numerous WordPress sites became the vector for payload propagation.

 

Based on reports, there has been a surge in WordPress sites infection linked to a malicious domain called violetlovelines[.]com. The campaign has been running since last month, and PublicWWW results revealed that the attack impacts more than 5,600 websites.

The campaign has recently evolved and constantly switched from a fake CAPTCHA push notification scam to black hat ad networks. These compromised ad networks redirect unknowing users to legitimate, suspicious, or malicious websites that could allow it to deceive them into downloading malware.

This cybercriminal operation executes different phases to launch script injections, redirection chains, ad networks, and a Traffic Direction System (TDS). The malware operators utilise several common injections, like a simple script tag injection or a hidden JavaScript injection.

Subsequently, the redirect leads to a script on attacker-controlled subdomains, which leads to one of several domains of the sketchy ad network or the TDS. The Traffic Direction System (TDS) serves as an ad network for compromised WordPress websites owned by businesses like eCommerce, cryptocurrency, news, games, and medications.

These nuisance advertisements prompt users to download legitimate apps such as Crystal Blocker or Clean Blocker. In some instances, these adverts also offer browser extensions like Pureweb, Wind Blocker, PureTheWeb, and Quantum Ad Blocker.

Furthermore, these advertisements portray fake browser update notifications for Msite visitors for Microsoft Edge, Firefox, and Chrome.

The primary objective of these malicious advertisements is to spread malware that could enable its operators to steal saved credentials, hijack open browser sessions, and drain crypto wallets saved on infected computers.

In a particular campaign, the hackers launched the Raccoon Stealer and hacked Twitter, Substack, Discord, crypto wallets, and Gmail.

The advert operators are constantly using paid ads, like hijacked Gmail accounts and stolen credit card info, to deceive users into downloading their malware.

About the author

Leave a Reply