WordPress sites are again under attack. WordFence: There is an ongoing malvertising campaign, causing victims’ sites to display unwanted popup ads and redirect visitors to malicious destinations

WordPress sites are suffering a malvertising campaign which is causing victims’ sites to display unwanted popup ads and redirect visitors to malicious destinations. It has been discovered by WordFence cyber security experts. This including tech support scams, malicious Android APKs, and sketchy pharmaceutical ads. By targeting a few recently disclosed WordPress plugin vulnerabilities, the attackers inject a JavaScript payload into the front end of a victim’s site. These injections each contain a short script which sources additional code from one or more third-party URLs. That code is executed when a visitor opens the victim website. When the third party code executes in a visitor’s browser, it performs an initial redirect to a central domain, which then performs another redirect to a new destination based on a number of factors, notably the type of device in use by the redirected user.

The cyber security experts: Cybercrime is exploiting plugin vulnerabilities to launch attacks

According to the cyber security experts, in a disclosure last week, NinTechNet disclosed a vulnerability in the Coming Soon and Maintenance Mode plugin for WordPress. In their report, it was revealed that unauthenticated attackers could inject JavaScript payloads into a number of parameters on sites using vulnerable versions of the plugin. Shortly after the disclosure, WordFence identified a wave of attacks across their network. Using input routes intended for custom CSS styling, the attackers attempted to inject obfuscated JavaScript payloads on a large number of sites, which would trigger for any user visiting an affected site. Decoding this obfuscated script reveals that this code simply points to another URL containing a different JavaScript payload. The URL being sourced is one of several associated with this campaign, most of which do the same thing: perform a basic JavaScript redirect to a domain responsible for determining where the traffic should ultimately end.

The malvertising campaign is ongoing and threat actors will be quick to leverage any similar XSS vulnerabilities that may be disclosed in the near future

WordFence cyber security researchers explain that when a visitor arrives at that address, the site responds with a different script based on the User-Agent string associated with the request. A cookie is also set in the redirected browser in order to track repeat users. The eventual destination sites vary in scope and intent. Some redirects land users on typical illegitimate ads for pharmaceuticals and pornography, while others attempt direct malicious activity against the user’s browser. Some of the redirect landing pages attempt to social engineer their victims into clicking various page elements. These attacks aren’t the first associated with this malvertising campaign. Several vulnerabilities disclosed over the past few months have been included in the attacker’s attempts to distribute these injections. In addition to the redirects, this campaign includes the ability to inject popup ads into victims’ sites. Furthermore, researchers believe the threat actors will be quick to leverage any similar XSS vulnerabilities that may be disclosed in the near future.