A massive campaign infected over 4,500 WordPress websites as part of a long-running operation believed to have been active since at least 2017.
According to GoDaddy-owned Sucuri, the infection includes “track.[.]violet love line[.]com” is designed to redirect visitors to unwanted sites.
According to data from urlscan.io, the latest operation is said to have taken place from December 26, 2022. While the previous wave seen in early December 2022 affected more than 3,600 of his sites, another series of attacks recorded in September 2022 affected more than 7,000 of his sites. gave.
The malicious code was injected into the WordPress index.php file, and Sucuri points out that they have removed such changes from over 33,000 files on compromised sites over the past 60 days.
Sucuri researcher Denis Sinegubko said: “This malware campaign alternates redirects from the notorious fake His CAPTCHA push notification scam page to legitimate, sketchy, and purely malicious websites. We are gradually moving to network.
Thus, when an unsuspecting user visits one of the hacked WordPress sites, a redirect chain is triggered by the traffic direction system, ironically redirecting the victim to a page serving sketchy advertisements about unwanted ad-blocking products. to induce
To make matters worse, one such ad-blocker website named Crystal Blocker displays misleading browser refresh alerts to trick users into installing its extension depending on which web browser they use. It is designed to let
This browser extension is used by approximately 110,000 users across Google Chrome (60,000+), Microsoft Edge (40,000+), and Mozilla Firefox (8,635).
“While the extension does have ad blocking functionality, there is no guarantee that it is safe to use and may include unpublished functionality in current versions or future updates,” Sinegubko explained. increase.
Some redirects fall into the outright malicious category where infected websites act as conduits to initiate drive-by downloads.
This includes fetching information-stealing malware known as Raccoon Stealer from the Discord CDN. A Raccoon Stealer can steal sensitive data such as passwords, cookies, autofill data from browsers, and crypto wallets.
This finding is attributed to attackers setting up look-alike websites for various legitimate software to distribute stealers and Trojans via malicious advertisements in Google search results. .
Google has since blocked one of the fraudulent domains involved in the redirection scheme, classifying it as a dangerous site that installs “unwanted or malicious software on the visitor’s computer.”
To mitigate such threats, WordPress site owners should change passwords, update installed themes and plugins, and remove any unused or abandoned by developers. recommend to.
