Threat actors hijack outdated WordPress sites

Hundreds of compromised WordPress sites have been running malicious phishing adverts – with the code pretending to be legitimate plugins for the content management system, the Cybernews research team has learned.

Researchers at Cybernews got their first lead in December, during a routine scanning operation. It led to the discovery of an illicit money-making scheme that compromised hundreds of sites, using outdated versions or WordPress and employing lackluster security measures. The affected pages were then forced to run bogus ads linked to malicious sites.

To accomplish this, cybercriminals breached the websites using exploits or credential stuffing attacks. By injecting a PHP script, they turned the websites into command and control points, which served malicious advertisements when triggered by second-phase scripts or opened by a link.

Interestingly, Cybernews researchers found the malicious PHP scripts were all masquerading as legitimate plugins for the WordPress Content Management System (CMS).

“This particular piece of JavaScript code caught the team's eye because of heavy obfuscation and weird deployment conditions,” said Vincentas Baubonis of the Cybernews team. “Code obfuscation is a technique employed by legitimate developers and threat actors to prevent reverse engineering. In this case, it was used to reverse the actual payload for concealment of malicious code.”

Automated attacks were then launched against older versions of WordPress sites to insert references in their HTML to previously hacked command and control points by the inclusion of an obfuscated JavaScript code that triggered the tunnel of redirects.

It is thought that the first phase of all iterations of this attack compromised four WordPress sites that were used to host command and control scripts, while the second stage mostly targeted older versions ranging from 3.5.1. to 4.9.1.

In this way, our research team has discovered that the attackers successfully compromised at least 560 WordPress sites, forcing 382 of them to run malicious code. Fortunately, due either to mistakes or built-in security measures of the WordPress CMS, not all of the compromised websites earned revenue for the perpetrators.

Moreover, just seven in ten of the sites were found to be serving malicious ads, due to either technical reasons or built-in theme security that prevented the code from running in places where it was not supposed to run.

The most badly affected country was the US, which had 201 websites compromised, followed by France (62 websites), Germany (51 websites), and the UK (34 websites).

The three worst hit hosting providers were GoDaddy (42 websites), WebsiteWelcome (30 websites) and OVH ISP (27 websites). When the data was indexed by ISP, a slightly different picture emerged: OVH SAS topped the list with 55 websites hacked, with Unified Layer in second place (53 websites), and GoDaddy in third (43 websites).

Hacked websites infographic depicting information outlined in story

Tracing back the steps

“Our research began with a suspicious script that we were able to capture in the wild,” said Cybernews. “By investigating the payload we determined that this particular JavaScript code is embedded into the source of the attacked website. It then redirects unsuspecting users to a tunnel of advertisements and/or phishing pages, generating profit for the threat actors.”

Cybernews discovered the compromised WordPress and identified four different iterations of the attack, with the last malicious command and control script residing at “All of these contained different domains and some featured small differences in the malicious code,” it said. “However, we suspect that the result was always the same.”

Hacked websites infographic depicting information outlined in story

Careless hosting security

Cybernews researchers reported the compromised sites to service provider HostGator, which has since taken down the malicious code and likely informed website owners of the breach. The team suggested that more could have been done by the provider to help identify compromised sites and report them to owners, who in many cases were not being updated about newer versions – leaving them prone to breaches.

“It is important for hosting services to identify what is being hosted,” said a spokesperson for Cybernews. “Maybe more could be done by the provider to help identify the compromised sites and report them to the owner. The issue with Wordpress site owners is that in a lot of cases they are not being updated about newer versions, which makes them prone to breaches.”

“Why are old, vulnerable versions of WordPress even kept by hosting providers in their service lists and not updated by default?” Cybernews asked.

Older more vulnerable versions of WordPress had been retained in service lists, instead of being updated by default.

“Everybody who is tech-savvy enough knows that software versions that have reached end-of-life are insecure and pose a risk not only to their servers but to their users as well,” said Cybernews.

“We reported this case to the hosting provider of this website and it seems that the malicious script was taken down and the website which was running it was reset.”

Hacked websites infographic depicting information outlined in story

The hacker’s gift that kept on giving

Cybernews said the threat actors had taken a “really simple but interesting approach” to evade firewalls and other security measures.

“The payload responsible for these redirections was reversed, thus extending the lifetime of the attack and revenue generation,” it said. “What’s more, the code trigger was delayed and deployed at random times.”

Worse still, because the likelihood of a breach being triggered increased with every successful automated hack, the probability of malicious ads being served on infected sites increased exponentially.

But this attack vector, though potent, meant that it was easier to locate. This – along with the apparent carelessness of the threat actors – allowed the Cybernews team to conduct tracing to identify victims of the infected code.

“This approach of the threat actors and the decision to not check whether their malicious code was already included previously resulted in multiple failed hack attempts and a rather large digital footprint,” said Cybernews.


Norman Blake
prefix 2 years ago
This is nothing new. Outdated WordPress installs have been an easy target for the last decade!
Leave a Reply

Your email address will not be published. Required fields are markedmarked