An ongoing malvertising campaign is targeting millions of WordPress sites

• A malvertising campaign against WordPress sites has been ongoing since July. It exploits vulnerabilities in WordPress plugins to gain control of websites.
• The campaign initially redirected users to malicious websites. It has now evolved to install backdoors in the compromised sites by creating a new user with admin privileges.

An ongoing malvertising campaign against millions of WordPress websites has been observed by researchers. This attack capitalizes on the vulnerabilities in the older plugins of WordPress to inject code in the compromised sites. It creates rogue WordPress admin accounts to gain complete control of the websites.

How does the attack work?

• Using vulnerabilities in certain old WordPress plugins, the threat actors plant scripts in the WordPress site.
• The script redirects users to malicious sites and displays unwanted pop-ups. When the user is in the redirected site, attackers introduce malicious droppers and create backdoors.
• This campaign has also recently evolved to create a new administrator with a JavaScript payload it delivers. A rogue admin with wpservices as name, wpservices@yandex[.]com as email address, and w0rdpr3ss as the password is created.
• With access to admin privileges in the compromised site, attackers can create a backdoor and perform other activities.

One IP address is behind most of the attacks

Researchers from Wordfence observed that the attacks were initially from multiple IP addresses. Later on, all the IP addresses stopped attacking except for one — 104[.]130[.]139[.]134, a Rackspace server that is believed to be hosting compromised websites.

How to protect your website from the attacks?

A report by Imperva states, “98% of WordPress vulnerabilities are related to plugins, which extend the functionality and features of a website or a blog. Anyone can create a plugin and publish it — WordPress is open-source, easy to manage, and there is no enforcement or any proper process that mandates minimum security standards (e.g. code analysis). Hence, WordPress plugins are prone to vulnerabilities.”

This means WordPress users and admins must ensure that the latest versions of plugins are installed on the websites. It is also recommended that WordPress admins enable two-factor authentication for an added layer of security.

According to John Opdenakker, an ethical hacker, “It’s certainly a good idea to use a web application firewall to help block cross-site scripting (XSS) attacks.”