Categories MalwareTech News

WordPress security flaw forces redirect to malicious websites

WordPress is experiencing yet another incident this month because of a security flaw. According to a report from researchers at Sucuri, a malicious JavaScript is being injected in compromised WordPress sites. The JavaScript is injected at the index.php theme file that then forces a redirect to a malicious website. The website is a part of what Sucuri calls a “survey-for-gifts scam,” and uses the following domains: gotosecond2[.]com, adsformarket[.]com, admarketlocation[.]com, and admarketresearch[.]xyz. While those domains are redirecting, Sucuri states that "statistic[.]admarketlocation[.]com/clockwork?&se_referrer= or track[.]admarketresearch[.]xyz/?track&se_referrer=" is loaded in the redirection process and ultimately unleashes the malicious payload to the WordPress page.

This issue is affecting at least 2,000 WordPress websites and this number is quickly climbing. Once the page in question is infected, researchers have found that there is more activity following the initial infection. This is largely due to the JavaScript payload injected during the final stage of redirection. Threat actors are able to inject more malicious code into WordPress theme files, like PHP backdoors and hack tools, in order to ensure that they maintain unmitigated access to the website.

To prevent this from occurring, Sucuri researchers recommend that website owners “disable the modification of primary folders block hackers from inserting malicious files or includes as part of WordPress security hardening and security best practices.” Looking for the root cause of all the infections, Sucuri also uncovered that there is an exploitation of “multiple plugin vulnerabilities, including vulnerable versions of Simple Fields and CP Contact Form with PayPal.”

Sucuri researchers warn that they “expect the attackers will continue to register new domains — or leverage existing unused domains — as more security vendors blacklist domains being used in this infection.” As this is the case, WordPress admins must take preemptive action to stop their website from joining the rapidly growing list of the infected. Until WordPress takes action and patches the associated security flaw, admins are on their own.

Featured image: Shutterstock

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Dell unveils new PCs optimized for remote work

With remote work here to stay, companies are looking to supply employees with devices to…

2 hours ago

Using Azure Active Directory Identity Protection to boost your security

Using Azure Active Directory Identity Protection will boost your security. This step-by-step guide shows you…

20 hours ago

Review: Kemp Virtual LoadMaster load balancer

With many businesses requiring employees to work remotely, Kemp’s Virtual LoadMaster can help relieve many…

23 hours ago

Microsoft warns of COVID-19-related spear-phishing campaign

COVID-19 is not going away anytime soon, and as Microsoft researchers have discovered, neither are…

1 day ago

Ansible: Introduction to this open-source automation platform

In this first of several articles on Ansible, we give you a high-level overview of…

2 days ago

Microsoft Build 2020: All the major announcements

Microsoft Build 2020 may have been a virtual event, but there was some real news,…

2 days ago