You must Register or Sign in to your Cyware account to perform this action
×Once you are logged in, you will be able to:
Customize your feeds by selecting categories you like
Comment on or Like an article
Receive the latest security stories, trends, and insights in your inbox
Build your profile and login across multiple devices
Bookmark a story and read it later
- Home
- Hacker News
- Malware and Vulnerabilities
- An ongoing malvertising campaign is targeting millions of WordPress sites

An ongoing malvertising campaign is targeting millions of WordPress sites
An ongoing malvertising campaign is targeting millions of WordPress sites- September 4, 2019
- |
- Malware and Vulnerabilities
/https://cystory-images.s3.amazonaws.com/shutterstock_788198215.jpg)
- A malvertising campaign against WordPress sites has been ongoing since July. It exploits vulnerabilities in WordPress plugins to gain control of websites.
- The campaign initially redirected users to malicious websites. It has now evolved to install backdoors in the compromised sites by creating a new user with admin privileges.
An ongoing malvertising campaign against millions of WordPress websites has been observed by researchers. This attack capitalizes on the vulnerabilities in the older plugins of WordPress to inject code in the compromised sites. It creates rogue WordPress admin accounts to gain complete control of the websites.
How does the attack work?
- Using vulnerabilities in certain old WordPress plugins, the threat actors plant scripts in the WordPress site.
- The script redirects users to malicious sites and displays unwanted pop-ups. When the user is in the redirected site, attackers introduce malicious droppers and create backdoors.
- This campaign has also recently evolved to create a new administrator with a JavaScript payload it delivers. A rogue admin with wpservices as name, wpservices@yandex[.]com as email address, and w0rdpr3ss as the password is created.
- With access to admin privileges in the compromised site, attackers can create a backdoor and perform other activities.
One IP address is behind most of the attacks
Researchers from Wordfence observed that the attacks were initially from multiple IP addresses. Later on, all the IP addresses stopped attacking except for one — 104[.]130[.]139[.]134, a Rackspace server that is believed to be hosting compromised websites.
How to protect your website from the attacks?
A report by Imperva states, “98% of WordPress vulnerabilities are related to plugins, which extend the functionality and features of a website or a blog. Anyone can create a plugin and publish it — WordPress is open-source, easy to manage, and there is no enforcement or any proper process that mandates minimum security standards (e.g. code analysis). Hence, WordPress plugins are prone to vulnerabilities.”
This means WordPress users and admins must ensure that the latest versions of plugins are installed on the websites. It is also recommended that WordPress admins enable two-factor authentication for an added layer of security.
According to John Opdenakker, an ethical hacker, “It’s certainly a good idea to use a web application firewall to help block cross-site scripting (XSS) attacks.”
- + Aware
Get such articles in your inbox
News
-
Previous News Demystifying Ostap, a new downloader for Trickbot trojan
- September 4, 2019
- |
- Malware and Vulnerabilities
-
Next News Astaroth Trojan exploits Cloudflare Workers to remain stealthy
- September 4, 2019
- |
- Malware and Vulnerabilities
Popular News
Related News
Categories
Get such articles in your inbox
News
-
Previous News Demystifying Ostap, a new downloader for Trickbot trojan
- September 4, 2019
- |
- Malware and Vulnerabilities
-
Next News Astaroth Trojan exploits Cloudflare Workers to remain stealthy
- September 4, 2019
- |
- Malware and Vulnerabilities
Popular News
Related News
Categories
