Our remediation and research teams regularly find malicious redirects on client sites. These infections automatically redirect site visitors to third party websites with malicious resources, scam pages or commercial websites with the aim to generate illegitimate traffic.
As detailed in our latest Hacked Websites Report, we have been tracking a long-running campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign exploits known vulnerabilities in WordPress themes and plugins and has impacted a huge number of websites over the year – for example, according to PublicWWW, the April wave of this campaign was responsible for nearly 6 000 infected web pages alone.
Since these PublicWWW results only show detections for simple script injections, we can assume the scope is considerably greater.
We recently received a number of clients complaining about unwanted redirects on their WordPress websites. Interestingly enough, they turned out to be linked to a new wave of this massive campaign and sent website visitors through a series of website redirects to serve them unwanted advertisements.
Once the website was compromised, the attackers attempted to automatically infect .js files with jQuery in names. They injected code that starts with “/* trackmyposs*/eval(String.fromCharCode…”
Once unobfuscated, the true injection behavior emerged.
Malicious chain of redirects
To accomplish these redirects, the malicious injection creates a new script element with the legendary table[.]com domain as source.
The code of the legendary table[.]com domain then calls a second external domain — local[.]follow the drake[.]com — who calls from connections[.]follow the drake[.]com, redirect the site visitor to one of many different domains, including:
- push now[.]report/
At this point, it’s free for everyone. Domains at the end of the redirect chain can be used to load advertisements, phishing pages, malware or even more redirects.
From the site visitor’s perspective, they will simply see the next malware page before landing on the final destination.
This page tricks unsuspecting users into subscribing to push notifications from the malicious site. If they click on the fake CAPTCHA, they will be chosen to receive unwanted ads even when the site is not open – and the ads will appear to come from the operating system, not a browser.
These sneaky push notification activation maneuvers are also one of the most common ways for attackers to display “tech support” scams, which inform users that their computer is infected or slow and that they should call a toll-free number to resolve the problem.
Client-side redirects are initiated by site visitors’ browser once the infected web page has been loaded. Since this particular infection is on the client side, remote website scanners such as SiteCheck can help scan a website and identify this malware.
Here is an example of a SiteCheck results page for this specific campaign.
At the time of writing, PublicWWW has reported 322 websites affected by this new wave of malware. follow the drake[.]com domain. Since this number does not include obfuscated malware or sites that have not yet been scanned by PublicWWW, the actual number of websites affected is likely much higher.
Conclusion and Mitigation Steps
Our team has seen an influx of complaints for this specific wave of the massive campaign targeting WordPress sites starting May 9, 2022, which has already affected hundreds of websites at the time of writing.
The attackers were found to target several vulnerabilities in WordPress plugins and themes to compromise the website and inject their malicious scripts. We expect hackers to continue registering new domains for this ongoing campaign as soon as existing ones are blacklisted.
Website owners who have identified malware on their website can take advantage of the instructions in our hacked WordPress cleanup guide – and, as always, we’re happy to help clean up an infection if you need help. a hand.