New Attack on WordPress Sites Redirects Traffic to Malicious URLs
Security consultants from Sucuri have disclosed these days associate in progress attack on WordPress sites that alters their ASCII text file and surreptitiously redirects users to malicious websites.
According to associate investigation by Sucuri’s John Fidel Castro Ruz, attackers square measure mistreatment vulnerabilities in older WordPress versions or WordPress plugins to achieve access to a website, and that they square measure then redaction the most theme’s header.php file by adding twelve lines of obfuscated code.
Sucuri says that, in some cases, the attackers managed to get the site’s admin credentials by different means that, and simply logged in via the site’s regular login page, accessed the WordPress inbuilt theme editor section, and additional the malicious ASCII text file by hand.
Some Joomla sites additionally affected
The security firm additionally points out that, besides WordPress, they’ve additionally seen this same malicious code additional to Joomla sites within the administrator/includes/help.php file. yet, the quantity of infected Joomla websites is way smaller.
Sucuri says the campaign remains in progress which, in associate earlier version, the crooks were adding an equivalent obfuscated code within the theme’s footer.php file.
After unpacking the malicious ASCII text file, the protection firm says the practicality they found is easy nonetheless effective. Crooks square measure telling every website to pick out incoming users with a fifteen % probability and direct them to a preset address. The malicious ASCII text file additionally sets a cookie within the user’s browser, that prevents from redirecting the user once more within the coming year.
The malicious sites square measure gateways to a lot of dangerous threats
Sucuri says these square measure mere gateways to different insecure domains. Once the user reaches these gateways, they are redirected to different and different a lot of dangerous sites. In one among st the cases discovered by Sucuri, users using net human were redirected to websites that pushed malware-infected downloads created to seem like authentic Adobe Flash or Java updates.
Jerome Segura of Malwarebytes additionally according that his company saw an equivalent entranceway domains direct users to technical school support scams.
At least 6,400 sites square measure infected
Because of varied PHP setups and a few unhealthy secret writing within the malicious PHP code, on some infected websites, the code generated a slip. Softpedia googled the error at the time of writing the article and discovered precisely half dozen,400 infected websites, albeit the important variety of infected WordPress installations is clearly higher.