Outdated plugins become manna for online scammers

Attackers have taken control of more than 2,000 WordPress websites via unpatched and end-of-life plugins in order to redirect unsuspecting visitors to survey-for-gifts scam websites, new research has revealed.

Vulnerable plugins for the popular content management system include CP Contact Form with PayPal, a plugin with 3,000 plus active installations, and the now-discontinued Simple Fields.

The researcher who discovered the attacks found that malicious JavaScript had been injected within the WordPress index.php theme file on compromised sites, triggering a chain of redirects to malicious domains.

In a blog post explaining his findings, Luke Leal of Sucuri said changes to home and siteurl defined in the wp_options table are “likely one of the first red flags of malicious behavior”.

The subsequent delivery of a second malicious JavaScript payload gave attackers a bridgehead for injecting additional malware, like PHP backdoors and hacktools, into other theme files to maintain persistent access to the infected website.

If the checkone() function verifies that a site visitor has a “logged_in” cookie and requests the payload from within a /wp-admin URL, said the researcher, then the JavaScript function location.replace is used to redirect the visitor to the malicious redirect URL stored in the ijmjg variable.

Malicious redirect URLs were apparently hidden within UTF-16 code units, rather than ASCII characters, by the ijmjg variable and String.fromCharCode() function. Harnessing the /*someuselesstext*/ format attackers added comments as an evasion technique to further conceal the obfuscation.

Read more of the latest WordPress security news

Attackers also uploaded ZIP files of fake plugin directories containing further malware via the /wp-admin/includes/plugin-install.php file and unzipped them into /wp-content/plugins/.

Leal said the two most common fake plugin directories to look out for were /wp-content/plugins/supersociall/supersociall.php and /wp-content/plugins/blockspluginn/blockspluginn.php.

The researcher has urged owners of WordPress sites to disable the modification of primary folders and referred them to Sucuri’s best-practice guidelines for WordPress security.

Leal believes the attack campaign, which appears to have peaked during the third week in January, still has momentum.

“We expect the attackers will continue to register new domains – or leverage existing unused domains – as more security vendors blacklist domains being used in this infection,” he said.

The Daily Swig has invited Securi to comment further on the findings.

RELATED Jenkins flags vulnerable plugins in latest security advisory