February 8, 2023

Researchers have come up with research on how WordPress vulnerabilities can be used to compromise WordPress sites with multiple infections.

Researchers discovered a database injection featuring two different malware embedded together to achieve two entirely different goals. Both the malware could be found scattered over a WordPress database.

The first injection redirects the users to a spammy sports website, whereas the second one boosted the authority of a spammy casino website in search engines. About 270 websites were impacted by the first injection, and the second impacted 82 websites.

In the first injection’s, during the redirecting process, the browser is instructed to wait for 60 seconds, after which a redirect is made to the domain hxxp://redirect4xyz.

Again, the users are redirected to a spam domain: hxxp://pontiarmadacom that has iframes that disseminate malware to clueless users.

The second injection’s domain, “hxxp://nomortogelkuxyz,” is a gambling casino site that boosts its authority in search engines. This attacker used a black hat SEO tactic and placed an invisible link throughout the compromised sites to improve its domain authority and appear genuine.

Both the injections use the ‘.xyz’ domain extension, which attackers commonly use in such campaigns.

The presence of two different infections on the same website shows how attackers can disseminate various malware on the same site and how different bad actors can exploit a single flaw to infect the site.

Advertisements

To mitigate the threat,

  • WordPress site plugin themes and software up-to-date by enabling auto-updates.
  • A WAF can block attacks caused by vulnerabilities and add another layer of protection for a vulnerable site.
  • Enable two-factor authentication to secure the WordPress admin accounts from unauthorized access.

This research was documented by researchers from Succuri.

Leave a Reply

%d bloggers like this: