Thousands of WordPress (opens in a new tab) websites have been infected with an unknown malware variant, cybersecurity researchers at Sucuri have found.
The malware redirected visitors to another site where ads hosted on the Google Ads platform were loaded, bringing profit to the site’s owners.
The Sucuri team discovered that an unknown actor managed to compromise nearly 11,000 WordPress-based sites.
Redirected
WordPress is the world’s most popular hosting platform and is generally perceived as secure. However, it also offers countless WordPress plugins, some of which contain high-severity vulnerabilities.
Although the researchers were unable to pinpoint the exact vulnerability used to deliver this malware, they speculate that the cybercriminals automated the process and possibly exploited any known, unpatched vulnerabilities they could find.
The way this malware works is simple – when people visit infected websites, they are redirected to another Q&A site that loads ads found in Google Ads. In this way, Google would essentially be tricked into paying ad campaign owners for impressions, unaware that the impressions are actually fraudulent.
Sucuri has been tracking similar campaigns for months. In late November last year, researchers detected a similar campaign that infected around 15,000 WordPress sites. The difference between the two campaigns is that last year, the attackers didn’t bother to disguise the malware. In fact, they did the exact opposite, installing over 100 malicious files onto a website,
However, in the new campaign, the attackers went to great lengths to conceal the existence of the malware, researchers say. They also made the malware a bit more resilient to countermeasures by staying on sites for longer periods of time.
The researchers said that to protect against such attacks, it is best to keep the website and all plugins up to date, and secure the wp-admin panel with a strong password and multi-factor authentication. Those who have already been infected can follow Sucuri’s instructions, they should change all access point passwords and put the site behind a firewall.