Uncovered Tuesday by security researchers at Sucuri Inc., the hack exploits vulnerabilities in various third-party plugins, including Simple Fields and the CP Contract Form with PayPal.
The hackers gain access through the plugins to inject JavaScript that loads redirect scripts for sites such as admarketlocation and gotosecond2 in the targeted site’s theme. The script doesn’t stop there, also making modifications to the existing WordPress theme files that allow for the injection of additional malware, including PHP backdoors and hack tools.
“We encourage website owners to disable the modification of primary folders to block hackers from inserting malicious files or includes as part of WordPress security hardening and security best practices,” the researchers said.
While only slightly over 2,000 hacked WordPress installation have been detected so far, the number is likely to rise, since vulnerabilities like those found in the two named WordPress plugins can also be found in other plugins. WordPress is the most popular content management system on the internet, powering 35% of all websites, meaning that the scope for hacking is much larger.
“WordPress plugins are another example of third-party risks to websites and have been a frequent target in the past,” Ameet Naik, security evangelist at bot protection startup PerimeterX Inc., told SiliconANGLE. “A single compromised plugin can infect tens of thousands of websites in one stroke, hence they remain a popular attack vector.”
The technique here is quite similar to those used in the Magecart attacks where additional scripts are loaded from malicious domains, he explained. “These scripts can perform any action ranging from hijacking the user to a scam site, or sniffing personally identifiable information from form fields,” he said. “Website owners must be cautious while using external plugins and ensure they stay up to date with security patches.”
Mike Bittner, associate director of digital security and operations at digital security firm The Media Trust, said that campaigns that redirect users of legitimate sites to scam sites underscore the problems with relying on digital third parties.
“While digital third parties provide much-needed support to websites that must meet the growing demands of website users, they also expose site owners and users to security and privacy risks,” Bittner noted. “The code they run on today’s websites lies outside the website owners’ perimeter. As a result, owners don’t know who’s running what code on their sites, and what impact this might have on users.”
Meanwhile, he added, bad actors are capitalizing on this growing reliance on these digital third parties, who often bring their software to market without much thought given to security and privacy. “While this arrangement may have worked in the past, the passage of the California Consumer Privacy Act has shaken up the industry with stiff penalties and private right of action in case of a breach,” he said. “The upshot is that companies can no longer take privacy and security lightly.”
New research has revealed that over 2,000 WordPress sites have hacked as part of a campaign to redirect visitors to a number of scam sites which contain unwanted notification subscriptions, fake surveys, giveaways and even fake Adobe Flash downloads.
The security firm Sucuri first discovered the hacking campaign when its researchers detected attackers exploiting vulnerabilities in WordPress plugins. According to the firm’s Luke Leal, CP Contact Form with PayPal and the Simple Fields plugins are being exploited but other plugins have likely also been targeted.
When an attacker exploits one of these vulnerabilities, it allows them to inject JavaScript that loads scripts from the sites admarketlocation and gotosecond2 directly into a site’s theme.
- This WordPress vulnerability could let hackers hijack your entire site
- It’s a jungle out there: Don’t leave your WordPress sites in the wild
- WordPress plugins hacked for fake admin accounts
Once a visitor accesses a hacked site, the injected script will try to access two administrative URLs (/wp-admin/options-general.php and /wp-admin/theme-editor.php) in the background in order to inject additional scripts or to change WordPress settings that will also redirect visitors. However, these URLs require administrative access so they will only work if an administrator is accessing the site.