A massive campaign is leveraging hacked WordPress sites to redirect victims to tech support scams, adult dating, phishing, or drive-by-downloads attacks. The hackers behind it have made sure that their malicious payloads are hard to detect by means of multiple redirects and legitimate downloads.
A spike in the activity
According to Sucuri researchers, there has been a spike in WordPress website infections related to the malicious domain violetlovelines[.]com.
The campaign has been active since December 26, 2022, and PublicWWW results show over 5,600 websites impacted by it so far.
Recently, the campaign has evolved and gradually switched from fake CAPTCHA push notification scam pages to black hat ad networks.
These malicious ad networks redirect victims to legitimate, shady, or malicious websites and trick them into downloading malware.
Different levels of attacks
The campaign goes through different stages to deploy script injections, a Traffic Direction System (TDS), redirect chains, and ad networks.
Threat actors are using two common types of injections - a simple script tag injection or an obfuscated JavaScript injection.
The redirect leads to a script on attacker-operated other subdomains, which, in turn, leads to one of the multiple domains of the malicious ad network or the TDS.
The TDS serves as an ad network for infected WordPress sites belonging to businesses such as games, news, eCommerce, medication, and cryptocurrency.
These unwanted adverts solicit users to download legitimate applications such as Clean Blocker and Crystal Blocker, or likely shady browser extensions such as PureTheWeb, Pureweb, Wind Blocker, and Quantum Ad Blocker.
Moreover, these adverts display fake browser update warnings for Firefox, Google Chrome, and Microsoft Edge to site visitors.
The ultimate goal
The end goal of these ads is to distribute malware to steal saved credentials, drain cryptocurrency wallets, and hijack open browser sessions on infected computers.
In one incident, threat actors distributed Raccoon Stealer and hijacked Twitter, Substack, Gmail, Discord, and cryptocurrency wallets.
Additionally, threat actors are actively using paid ads, often leveraging hijacked Gmail accounts and stolen credit card details, to trick users into downloading such malware.
Security tips
WordPress website owners and users are suggested to look for any redirections through violetlovelines[.]com and to other unexpected domains. This campaign exploits a wide range of vulnerabilities in WordPress themes and plugins, thus, users are recommended to patch known vulnerabilities as soon as possible.