Outdated plugins become manna for online scammers
Attackers have taken control of more than 2,000 WordPress websites via unpatched and end-of-life plugins in order to redirect unsuspecting visitors to survey-for-gifts scam websites, new research has revealed.
In a blog post explaining his findings, Luke Leal of Sucuri said changes to home and siteurl defined in the wp_options table are “likely one of the first red flags of malicious behavior”.
Malicious redirect URLs were apparently hidden within UTF-16 code units, rather than ASCII characters, by the ijmjg variable and String.fromCharCode() function. Harnessing the /*someuselesstext*/ format attackers added comments as an evasion technique to further conceal the obfuscation.
Attackers also uploaded ZIP files of fake plugin directories containing further malware via the /wp-admin/includes/plugin-install.php file and unzipped them into /wp-content/plugins/.
Leal said the two most common fake plugin directories to look out for were /wp-content/plugins/supersociall/supersociall.php and /wp-content/plugins/blockspluginn/blockspluginn.php.
The researcher has urged owners of WordPress sites to disable the modification of primary folders and referred them to Sucuri’s best-practice guidelines for WordPress security.
Leal believes the attack campaign, which appears to have peaked during the third week in January, still has momentum.
“We expect the attackers will continue to register new domains – or leverage existing unused domains – as more security vendors blacklist domains being used in this infection,” he said.
The Daily Swig has invited Securi to comment further on the findings.