Hackers Leverage WordPress Tools for Hawk Scams

If you visited a website in the past few days and were randomly redirected to the same pages with sketchy “resources” or unwanted ads, chances are the site in question was 1) built with WordPress tools and 2) hacked.

Researchers from Sucuri, a GoDaddy-owned security vendor, revealed on Wednesday that hackers behind a months-long campaign focused on injecting malicious scripts into WordPress themes and plugins with security flaws known were at work again.

It is important to note that these hacks are related to themes and plugins created by thousands of third-party developers using WordPress open source software, not WordPress.com, which offers hosting and tools for building websites. Automattic, the parent company of WordPress.com, is a major contributor to the software but does not own it.

According to Sucuri, there are 322 WordPress sites with plugins and themes that were affected by this new exploit, although “the actual number of impacted websites is likely much higher.”

In April alone, hackers used this tactic to infect nearly 6,000 sites, said Sucuri malware analyst Krasimir Konov.

Sucuri noticed the hacker intrusions last Monday while investigating WordPress sites that complained about unwanted redirects. All of the websites shared a common problem, Konov explained; they contained malicious JavaScript hidden in their files and databases.

The JavaScript creates redirects that lead users to a range of poison apples, including phishing pages and malware, the researcher explained. Worse, visitors might not even notice they are going down the internet version of a dark and dangerous alley, because the redirect landing page looks innocent enough.

“This page tricks unsuspecting users into subscribing to push notifications from the malicious site. If they click on the fake CAPTCHA, they will be chosen to receive unwanted ads even when the site is not open – and the ads will appear to come from the operating system, not a browser,” Konov wrote.

If that wasn’t enough, Konov said push notification activation maneuvers are one of the most common ways for hackers to run tech support scams. These are annoying pop-ups that pop up out of nowhere telling you that your computer is infected and you need to call a phone number to get it fixed. Don’t do this. The Federal Trade Commission, which is an expert in spotting scams, helpfully points out that real security messages and warnings won’t ask you to call a phone number for technical help.

WordPress.com told Gizmodo on Thursday that plugins and themes are written and maintained independently outside of the core WordPress software. Regarding Sucuri’s report, the company said that any plugin or theme hosted on WordPress.org, the software’s website, “is regularly scanned for vulnerabilities.”

“If security issues are identified, plugin and theme authors are notified immediately. Specific to Sucuri’s report, any plugin that was not fixed was either shut down or not hosted on WordPress.org. WordPress.org also provides security resources for theme developers and plugin developers,” said a WordPress.com spokesperson. “For self-hosted sites, WordPress users are advised and encouraged to update the core software, plugins and default themes.”

Sites hosted on WordPress.com are also offered services that patch vulnerabilities like those referenced in the report, the spokesperson added.

Comments are closed.